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Abstract. We define a logical framework with singleton types and one universe of small 
types. We give the semantics using a PER model; it is used for constructing a normalis- 
ation-by-evaluation algorithm. We prove completeness and soundness of the algorithm; 
and get as a corollary the injectivity of type constructors. Then we give the definition of 
a correct and complete type-checking algorithm for terms in normal form. We extend the 
results to proof-irrelevant propositions. 



One of the raisons d'etre of proof-checkers hke Agda [46!, Coq [33], and Epigram [30] is 
to decide if a given term has some type (either checking for a given type or inferring one); 
i.e., if a term corresponds to a proof of a proposition |32j . Hence, the convenience of such 
a system is, in part, determined by the types for which the system can check membership. 
We extend the decidabihty of type-checking done in previous works f2l l3] for Martin-Lof 
type theories [381 US] by considering singleton types and proof-irrelevant propositions. 

We consider a type theory with a universe^ which allows large eliminations, i.e., types 
defined by recursion on natural numbers. The universe of small types was introduced 
by Martin-Lof (37) for formalising category theory. Martin-Lof presents universes in two 
different styles [38]: d la Russell (the one considered here), and d la Tarski. 
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Singleton types were introduced by Aspinall [10] in the context of specification lan- 
guages. An important use of singletons is as definitions by abbreviations (see [101 I21j): 
they were also used to model translucent sums in the formalisation of SML [3l]. It is 
interesting to consider singleton types because beta-eta phase separation fails: one can- 
not do eta-expansion before beta-normalisation of types because the shape of the types at 
which to eta-expand is still unknown at this point; and one cannot postpone eta-expansion 
after beta-normalisation, because eta-expansion at singleton type can trigger new beta- 
reductions. Stone and Harper [54J decide type checking in a logical framework (LF) with 
singleton types and subtyping. Yet it is not clear whether their method extends to compu- 
tation on the type level. As far as we know, our work is the first where singleton types are 
considered together with a universe. 

De Bruijn proposed the concept of irrelevance of proofs [18j . for reducing the burden 
in the formalisation of mathematics. As shown by Werner [56], the use of proof-irrelevance 
types together with sigma types is one way to get subset types a la PVS [51] in type-theories 
having the eta rule. This style of subset types was also explored by Sozeau [53l Sec. 3.3]; 
for another presentation of subset types in Martin-Lof type-theory see [50]. Berardi conjec- 
tured that (impredicative) type-theory with proof-irrelevance is equivalent to constructive 
mathematics [14J. 

Checking dependent types relies on checking types for equality. To this end, we compute 
ry-long normal forms using normalisation by evaluation (NbE) [39]. Syntactic expressions 
are evaluated into a semantic domain and then reified back to expressions in normal form. 
To handle functional and open expressions, the semantic domain has to be equipped with 
variables; a major challenge in rigorous treatments of NbE has been the problem to generate 
fresh identifiers. Solutions include term families [TB], liftable de Bruijn terms [S], or Kripke 
semantics [5J . In this work we present a novel formulation of NbE which avoids the problem 
completely: reification is split into an r/-expansion phase (J,) in the semantics, followed 
by a read back function (R) into the syntax which is indexed by the number of already 
used variables. This way, a standard PER model is sufficient, and technical difficulties are 
avoided. 

Outline. In Section [2| we ffist present A^'"^, Martin-Lof 's logical framework with one uni- 
verse and singleton types, as a generalized algebraic theory ^9j. Secondly, we introduce A''"'', 
Martin-Lof type theory with natural numbers, sigma types, and proof-irrelevant proposi- 
tions. In Section [3j we show some examples using singleton types and proof-irrelevant 
types. In Section [4j we present briefly NbE for untyped and simply typed lambda calculi; 
in particular we illustrate our novel approach to generate fresh identifiers. In Section [5j we 
define the semantics of the type theories by a PER model and prove the soundness of the 
inference rules. We use this model to introduce a normalization algorithm nbe, for which 
we prove completeness (if t = t' is derivable, then nbe(t) and nbe(i') are identical). The 
soundness of the algorithm (i.e., t = nhe{t) is derivable) is proven by logical relations in 
Section [6j In Section [7j we define a bi-directional algorithm for checking the type of normal 



forms and inferring the type of neutral terms. More related work is discussed in Section 8.1 
The Haskell programs corresponding to the NbE, and type-checking algorithms are shown 
in the appendices [A] and IbI respectively. 
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2. The Calculus as a Generalised Algebraic Theory 

In this section, we introduce the type theory. In order to show the modularity of our 
approach, we present it as two calculi A^'"^ and A'*^*^: the first one has dependent function 
spaces, singleton types, and a universe closed under function spaces and singletons. In the 
second calculus we leave out singleton types and we add natural numbers, sigma types, 
and proof-irrelevant propositions. It is not clear if singleton types can be combined with 
proof- irrelevant propositions without turning the system inconsistent. 

We present the calculi using the formalism proposed by Cartmell for generalised alge- 
braic theories (GAT) |19j . A GAT consists of sort symbols and operator symbols, each with 
a dependent typing, and equations between sort expressions and terms ("operator expres- 
sions"). Following Dybjer |2l|, we are using "informal syntax" where redundant arguments 
to operators are left implicit. 

2.1. Calculus A^'"^with singleton types. We use capital Greek letters (r,A) for vari- 
ables ranging over contexts; capital letters from the beginning of the Latin alphabet (A, B) 
for variables ranging over types; small Greek letters ((5, p, a) are used for variables denoting 
substitutions; and minuscule Latin characters (r, s, t, u, a, b) for variables on terms. Words 
in sans face denote constants (e.g., Type,q). 



2.1.1. Sorts. The set of sort symbols is {Ctx, —)•, Type, Term} and their formation rules, in 
the sense of Cartmell's GATs, are: 

r, A G Ctx 

(ctx-sort) — (subs-sort) 



Ctx is a type F — )• A is a type 

F G Ctx F G Ctx A G Type(F) 

(type-sort) -— (term-sort) 



Type(F) is a type Term(F, j4) is a type 

In the following, whenever a rule has a hypothesis A G Type(F), then F G Ctx shall be a 
further, implicit hypothesis. Similarly, cr G F — )• A presupposes F G Ctx and A G Ctx, and 
t G Term(F,^) presupposes A G Type(F), which in turn presupposes F G Ctx. Note that 
judgements of the form F G Ctx, A G Type(F), t G Term(r, ^4), and cr G F — t- A correspond 
to the more conventional forms F h, F h ^, F h t : ^4, and F h o" : A, resp. After we have 
defined the judgements, we will use the latter, more readable versions. 



2.1.2. Operators. The set of operators is quite large and instead of giving it at once, we 
define it as the union of the disjoint sets of operators for contexts, substitutions, types, and 
terms. 

Contexts. There are the usual two operators for constructing contexts: Sc = {o, --}• 

F G Ctx Ae Type(F) 

(empty-ctx) (ext-ctx) 



o G Ctx F.^ G Ctx 
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Substitutions. We have five operators for substitutions, which are the usual operators for 
exphcit substitutions [Ij: Ss = {(),(_,-), id , __, p}. Semantically, substitutions o" € F — )• 
A are sequences of values, one for every variable declaration in A. The sequences are 
constructed from the empty sequence () by sequence extension {a,t). Substitutions form a 
category with identity idr and composition a 6. Finally, we have the first projection p on 
sequences. 

F G Ctx ctGF-^A t G Term(F,^o-) 

(empty-subs) — (ext-subs) 



OgF^o' ' {a,t)er^A.A 

FeCtx 6er^e aeG^A 

(id-subs) (COMP-SUBS) 

idr gF^F ^ cT^eF^ A ^ ' 

A E Type(F) 

(fst-subs) 

peF.^^F^ ^ 

Types. The set of operators for types is St = {U, Fun {-}_}. U is a universe of small 

types a la Russell, which means its elements are directly usable as types (u-el) without 
coercion. Besides dependent function types funAB we have the singleton type {t}A — a 
subtype of A containing t as single inhabitant. Types A are closed under substitution Aa. 

F E Ctx Ae Term(F, U) Ae Type(F) B E Type(F.A) 

(u-f) — (u-el) — (fun-f) 



UEType(F)' ^ E Type(F) Fun ^ 5 E Type(F) 

A E Type(F) t E Term(F, A) Ae Type(A) cr E F ^ A 

— — (sing-f) — (subs-type) 

{t}AEType(F) E Type(F) 

Terms. The set of operators for terms is Se = {Fun A_, app _ q, {_}_}. It includes 
function space Fun Ai? and singleton {t}^ as small-type constructors in U. Lambda terms 
with explicit substitutions are obtained via the constructions At, app t u, q, and ta. Since 
we have used juxtaposition for composition and application of substitutions, we have the 
explicit app for term application. Note that q stands for the top (0th) variable, the nth 
variable is expressed as q p*^. 

AETerm(F, U) S E Term(F.A, U) t£Jerm(T.A,B) 

^ (fun-u-i) : (fun-i) 

FunA5 E Term(F, U) At E Term(F, Fun A S) ^ ' 

5 E Type(F.A) t E Term (F, Fun A 5) METerm(F,A) 



app t n E Term(F, B (idr, u)) 



(fun-el) 



A E Type(F) a E F ^ A t E Term(A, A) 

; r (hyp) ^ (subs-term) 

q E Term(F.A,Ap) ' t cj E Term (F, A ct) 
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A e Termfr, U) te Termfr, A) te Term(r, A) 

^ , (SING-U-I) / ' \ (SING-I) 

e Term(r,U) ^ ' t e Jem{r , {t} a) 

a e Term(r, A) t G Term(r, {a} a) 



t G Term(r, A) 



(sing-el) 



2.1.3. Axioms for Equational Theory. In the following, wc present the axioms of the equa- 
tional theory of A^'"^. Equality is considered as the congruence closure of these axioms. 
Congruence rules, also called derived rules, are generated mechanically for each symbol 
from its typing. For instance, rule (subs-type) induces the derived rule 

A = B £ Type(r) 7 = (5 G A ^ T 

Aj = BS eType{A) 

Another instance of a derived rule is conversion, it holds because equality between sorts, 
such as Term(r, A) = Term(r, A'): 

t e Term(r, A) A = A' e Type(r) 
t e Term (r, A') 

In the following, we present equality axioms without the premises concerning typing, except 
in the cases where they cannot be inferred. 

Substitutions. The first two equations witness extensionality for the identity substitution, 
the next three the composition laws for the category of substitutions. Then there is a law 
for the first projection p, and the last two laws show how to propagate a substitution 6 into 
a tuple. 

ido = idr.A = (p,q) 

\6a = a a'\d = a 

(a ,5) 7 = (7 ((5 7) p{a,t) = a 

0(5=0 {a,t)S = {a6,tS) 

Axioms for j3 and ij, propagation and resolution of substitutions. An explicit substitution 
(idr, r) is created by contracting a /?-redex (first law). It is then propagated into the various 
term constructions until it can be resolved (last two laws). 

app (At) r = t (idr, r) A(app {t p) q) = t 

U(T=U {{t}A)(T = {ta}Aa 

(Fun A S) (T = Fun {A a) (B (a p, q)) (Xt) a = \{t {a p, q)) 

(app r s)a = app (ra) {s a) {t5)a = t {5 a) 

q{a,t) = t t\d=t 
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Singleton types. All inhabitants of a singleton type are equal (sing-eq-i). We mention the 
important derived rule (sing-eq-el) here explicitly. 

t, t' G Term(r, {a] a) , , t = i! ^ Term(r, {a] a) , 

(SING-EQ-l) -J (sing-eq-el) 



t = t' G Term(r, {a} a) t = € Term(r, A) 

There is a choice how to express the last two rules; they could be replaced with 
t E Term(r,{o}A) , t G Term(r, {0}^) , 

(SING-EQ-l'j — - (sing-eq-el') 



t = a G Term(r,{a}A) t = a G Term(r, A) 

The rule (sing-eq-el) is essential; in fact, since we have eta-expansion for singletons, we 
would like to derive 

r.{At}FunAB I- app q a = t (id,a) : S (id, a) 

from r.{At}FunA_B 1~ q = At : {AtjFunAB! and V ^ a : A. Which would be impossible if 
(sing-eq-el) were not a rule. 

Conventions. We denote with |r| the length of the context F; and T\i is the projection of 
the i-th component of F, for ^ i < |r|; i.e. if F = A^-x . ■ ■ A^ and ^ i < n, then 
V\i = Ai. We say A F if A h p* : F; where p* is the i-fold composition of p with itself. 

We denote with Terms the set of words freely generated using symbols in Sg^ St^ Se- 
We write t =t t' for denoting syntactically equality of t and in T C Terms. We call A 
the tag of {a}A- 

Remark 2.1. Note that if A h p* : F, and F h p^' : 6, then A h p*+J' : 9. 
Definition 2.2 (de Bruijn index). The ith de Bruijn index Vj is defined as 

q if i ^ 



qp* if i > 0. 

For convenience, we identify negative indices with the 0th index. 

The following grammar describes the set Nf of /3-normal forms. As auxiliary notion, it 
uses the set Ne of neutral normal forms, i.e., normal forms with a variable in head position, 
which blocks reduction. A bit sloppily, we refer to elements of Ne as "neutral terms"; in 
general, the attribute neutral shall mean variable in head position (this is stricter than 
Girard's concept of neutral [28j). 

Definition 2.3 (Neutral terms, and normal forms). 

Ne 3 k ::= Vj | app k v 
Nf Bv,V,W ::= U | Fun F | {v}v \ Xv \ k 

An advantage of introducing the calculus as a GAT is that we can derive several syntactical 
results from the meta-theory of GATs; for instance, some of the following inversion results, 
which are needed in the proof of completeness of the type-checking algorithm. 

Remark 2.4 (Weakening of judgements). Let A ^* F, F h yl = A', and T \- t = t' : A; 
then Ah Ap' = A' p\ and A h t p* = t' p* : ^ p\ 



^The direction A F (as opposed to A F) has been chosen to be compatible with subtyping A ^ B. 



Weakening (Remark 2.41 is a special case of subsumption which states that A^Tht: A^B implies 
A\-t:B. 
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Remark 2.5 (Syntactic validity). 

(1) UTht: A, then T h A. 

(2) UTht = t' : A, then both T h t : A, and T h t' : A. 

(3) UTh A = A', then both T h ^, and T h A'. 

Lemma 2.6 (Inversion of types). 

(1) IfTh fun AB, thenTh A, andT.Ah B. 

(2) IfTh {a} A, then T h A, andTha: A. 

(3) IfTh k, then T h A; : U. 

The following lemma can be proved directly by induction on derivations by checking 
the possibles rules used in the last step. 

Lemma 2.7 (Inversion of typing). 

(1) IfTh FunA' B' : A, then T h A = U, T h A' : [J, and also T.A' h B' : U; 

(2) z/r h : A, then T h A = (J, T h B : U, and also Thb:B; 

(3) ifVhXt'.A, then either 

(a) Fh A = Fun A' B with T.A' ht: B; or 

(b) r\- A = {a}A' with T h Xt = a : A' . 

(4) ifVhapptr-.A, thenTht: fun A' B' , T h r : A' , andT h A = B' {\d,r'). 

Proof. (1) The last rule used is one of (fun-u-i), (cony), (sing-i), or (sing-e). In the first 
case the premises of the rule are what is to be proved; in all other cases we have a premise 
with the form F h FunA'B' : B, hence we can apply the i.h. (2-4) Analogously. D 

Remark 2.8 (Inversion of substitution). Any substitution Aha: T.A is equal to some 
substitution A h (cr', t) : F.^. It is enough to note idr.A = (p, q), hence we have the equalities 
(7 = ida = (p,q)(J = (po-,qc7). 

2.2. A'*^"^: a type theory with proof-irrelevance. In this section we keep the basic rules 
of the previous calculus (those that do not refer to singleton types), and introduce types 
for natural numbers, enumeration sets, sigma types, and proof-irrelevant types. The main 
difference with other presentations \45\ |3Bj) on the syntactic level, is that the eliminator 
operator (for each type) has as an argument the type of the result. The presence of the 
resulting type in the eliminator is needed in order to define the normalisation function; it 
is also necessary for the type-inference algorithm. 

Sigma types. Both U and Type are closed under (strong) sigma-type formation; (a, b) intro- 
duces a dependent pair and fst t and snd t eliminate it. 



A G Term(F,U) 



B G Term(F.^, U) 



(SUM-U-l) 



A E Type(F) 



B G Type(F.A) 



(sum-f) 



J^AB e Term(F,U) 



J:AB £ Type(F) 



B E Type(F.^) 



a G Term (F, A) b 



b G Term(F,S(id,a)) 



(sum-in) 



{a,b) E Term(F,i;^S) 



t £ Term(F,SAS) 



(SUM-ELl) 



t G Jem{r,T.AB) 



(sum-el2) 



fst t G Term(F,yl) 



snd t G Term(F,S(id,fst t)) 
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The /3- and r/-laws for pairs are given by the first three equations to fohow. The 
remaining equations propagate substitutions into the new term constructors. 

fst (a, b) = a snd (a, b) = b (fst t, snd t) = t 

(fst t) cr = fst fj) (snd t) cr = snd (tcj) {a,b) a = {aa,ba) 

{T,AB)a = T.{Aa) {B{ap,q)) 

Propagation laws can be obtained mechanically: to propagate a into ct, just compose it 
with each ti that is not a binder (e.g., A in T,AB), and compose its lifted version {ap,q) 
with each tj that is a binder (e.g., B in T,AB). Binders are those formed in an extended 
context (here, B G Type(r.^)). In the following, we will skip the propagation laws. 

Natural numbers. We add an inductive type Nat with constructors zero and sue and prim- 
itive recursion natrec. 

r G Ctx r e Ctx te Term(r, Nat) 

(nat-u-i) — - — - (nat-z-i) — - — - (nat-s-i) 



Nat G Term(r, U) zero G Term (T, Nat) sue t G Term (T, Nat) 

B G Type(r.Nat) 

t G Term(r, Nat) z G Term(r, B (id, zero)) s G Term(r, Rec(B)) 

; — (NAT-EL) 

natrec B z s t G Term(r, B (id, t)) 

Here, we used Rec{B) as an abbreviation for Fun Nat (Fun B {B (p, sue q) p)) which in con- 
ventional notation reads IIx : Nat. B — )• B[suc x/x\. Since S is a big type, it can mention 
the universe U, thus, we can define small types by recursion via natrec. This so called large 
elimination excludes normalization proofs which use induction on type expressions |23t [22] . 
We add the usual computation laws for primitive recursion. 

natrec B z s zero = z 

natrec B z s (sue t) = app (app s t) (natrec B z s t) 

Enumeration sets. The type N„ has the n canonical inhabitants Cq , . . . , c"_^, which can be 
eliminated by the dependent case distinction casd^ B to - ■ ■ tn-i t with n branches. 

r G Ctx r G Ctx i < n 

(n«-U-i) :,: ., , (n„-i) 



N„ G Term(r, U) ' ' G Term(r, N„) 

B G Type(r.N„) t G Term(r, N„) 
to G Term(r,^(id,cg)) ••• G Term(r, ^ (id, c;^_i)) 

casd" B to---tn-i t G Term(r,5(id,t)) ^^"'^ ' 

We add the usual computational law for case distinction, and weak extensionality, which 
for booleans (N2) reads "if t then true else false = t"in sugared syntax. 

cas# B to ■ ■ ■ tn-i c" = ti 

cas^ NncS---C_it = t 

For No and Ni we can formulate strong ry-laws: all their inhabitants are considered equal, 
since there is at most one. To realize this, we introduce a new term * in No if it already has 
an inhabitant t; we consider * as normal form of t. Note that this seemingly paradoxical 
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canonical form * E Nq does not threaten consistency, since it cannot exist in the empty 
context r = o; otherwise there would have already been a term t € Term(o, Nq). 

tGTerm(r, No) t, t' e Term(r, Nq) t, t' G Term(r, Ni) 

(Nq-TM) (Nn-EO) -, ; (Ni-EQ) 

*G Term(r,No) ^ ^ t = t' G Term(r, Nq) ^ ' t = t' G Term(r, Ni) ^ ' ^ 

On the one hand, rule (nq-tm) destroys decidability of type checking: to check whether 
•k £ Term(r, Nq) we would have to decide the consistency of T which is certainly impossible 
in a theory with natural numbers. On the other hand, it allows us to decide equality by 
computing canonical forms. We solve this dilemma by forbidding ★ in the user syntax 
which is input for the type-checker; ★ is only used internally in the NbE algorithm and in 
the canonical forms it produces. Formally this is reflected by having two calculi: one with 
the rule (nq-tm) and one without it. For distinguishing the calculi, we decorate the turnstile 
(h*) in judgements of the former and leave (h) for the calculus without (nq-tm). We also 



use the different turnstiles for referring to each calculus. In Sect. 2.3 we prove that (h*) is 
a conservative extension of (h). 

Strong extensionality for booleans and larger enumeration sets is hard to implement 
[Hi [12] and beyond the scope of this work. 

In the sequel we use t for denoting the n terms Iq - ■ ■ in casd^' B t^ - ■ ■ t„_i r. We 
will omit the superscript n in q, and in case B t r. 

Proof irrelevance. Our treatment of proof-irrelevance is based on Awodey and Bauer 
and Maillard [36] • The constructor Prf turns a type A into the proposition Prf ^ in the sense 
that only the fact matters whether A is inhabited, not by what. An inhabited proposition 
is regarded as true, an uninhabited as false. The proposition Prf A still has all inhabitants 
of A, but now they are considered equal. If A is not empty, we introduce a trivial proof ★ 
in Prf ^ which we regard as the normal form of any t G Term(r, Prf j4). 

^GTerm(r,U) .4 G Type(r) 

(prf-f) — — - (prf-f) 



Prf A G Term(r, U) Prf ^ G Type(r) 

a G Term(r, A) a G Term(r, A) 

(PRF-l) — (prf-tm) 



[a] G Term(r, Prf A) ' ' ★ G Term(r, Prf ^) 

A G Type(r) t,t' G Term(r, Prf ^) 

t = t'GTerm(r,PrfA) ^^^"'''^^ 

Note that (prf-tm) is analogous to (nq-tm) and the same remarks apply; in particular, 
(prf-tm) is also a rule in (h*) but not in (h). 

We use Awodey and Bauer's [11] elimination rule for proofs. 

Tht: Prf A ThB T,x:Ahb:B T,x:A,y:Ahb = b[y/x]:B 

T\-b where [x] ^ t : B 

The content x : ^ of a proof t : Prf A can be used in b via the elimination b where [x] = t 
if b does not actually depend on it, which is expressed via the hypothesis that b should be 
equal to b[y/x] for an arbitrary y. This elimination principle is stronger than "proofs can 
only be used inside of proofs" which is witnessed by the rule: 

rht:Prf^ ThB T,x:Ahb:PrfB 
r h 6 where [x] ^ t : Prf B 
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Note that this weaker eHmination rule in the style of a bind operation for monads is an 
instance of the Awodey-Bauer rule, since the equation T,x:A,y:A\-b = b[y/x] : Prf B holds 
trivially due to proof irrelevance. An example which is typablc with the Awoday-Bauer rule 
but not the monadic rule is the term magic given in the next section. 

The Awodey-Bauer where fulfills r/-, and associativity laws analogous to the ones of 
a monad. 

b where [x] [a] = b[a/x] 

b[[x]/y] where [x] <— t = b[t/y] 

a where [x] (6 where [y] c) = (a where [x] b) where [y] c if y ^ FV(a) 

After this more readable presentation in named syntax, we add the eliminator and its 
equations to our GAT in de Bruijn style: 

t e Term(r,Prfyl) 

-BGType(r) b eJermiT.A, B p) 6 p = 6 (p p, q) G Term(r.^.^ p, S p p) 

^ (prf-el) 

fewhere^t G Term(r,B) 

b where^ [a] = 6 (id , a) (PRF-/3) 
6 (p, [q]) where^ t = 6 (id, t) (prf-?]) 
a where^ {b where^ c) = (a (p p, q) wher^ p 5) where^ c (prf-ASSOC) 



After exposition of the formation, introduction, elimination, and equality rules for the 
types of a''"'', we continue with basic properties of derivations. Prom now, we use the more 
conventional notation for judgements. 

Definition 2.9 (Neutral terms and normal forms). 

Ne 3 k ::=... \ fst k \ snd k \ natrec V v v' k \ cas^ V vq - ■ ■ Vn-i k \ v where^ k \ ★ 

Nf 3 v,V I ^VW I Nat | N„ | PrfV \ {v,v') \ zero | sue | cf | [v] 

Lemma 2.10 (Inversion of types). 

(1) IfThEA B, then A, and T.A h B. 

(2) If TV- Prf A, then A. 

Lemma 2.11 (Inversion of typing). 

(1) //r h : A, then T h A = U, and T h ^' : U, and T.A' h 5 : U. 

(2) IfT h Nat : A, then T h A = U. 

(3) //r h N„ : A, then T h A = U. 

(4) IfTV- {t,b) -.A , thenT\- A = J:A' B, andT\-t:A', and T \- b : B {\d,t). 

(5) IfTh fst t: A , then T \- A = A' , andT \- t : T, A' B, for some A', and B. 

(6) //r h snd t : B, then T h B = B' (id, fst t), andT\-t: T,AB', for some A, and B' . 

(7) 7/r h zero : A, then Th A = Nat. 

(8) IfT \- suet: A, then T \- t : Nat, andT\- A = Nat. 

(9) //r h natrec B z s t : A , then T.Nat \- B, T \- z : S (id, zero), T \- s : Rec(B), 
T\-t: Nat, andT\- A = B{\d,t). 

(10) ifThcf-.A, then T\-A = N„; 
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(11) //r h case B tt' : A, then r.N„ \- B, T \- U : B (id,q), T \- t' : Nn, and T \- A = 
B(\d,t). 

(12) //r h [t] : A, then T h A = Prf A' and T h t' : A'. 

(13) IfF h 6where^t : A, then T \- A = B, F \- t : Prf^' /or some A', F.A' \- b : B p, and 
F.A'.A'p\-bp = b{pp,q) -.Bp. 

2.3. Conservativity of In this section we prove that (h*) is a conservative extension 
of (h); i.e., any derivation in (h*) has a counterpart derivation in (h) and the components 
of the conclusions of those derivations are judgmentahy equal in (l~*). 

Definition 2.12. A term is called pure if it does not contain any occurrence of Let u be 
a syntactical entity, if is obtained from v by replacing all occurrences of * by pure terms, 
then fj, is called a lifting of v. 

We will distinguish those liftings that are judgmentally equal to the lifted entity, these 
liftings are called good liftings. 

Definition 2.13 (Good lifting). 

(1) A context T' h is a good hfting of F h* if F' is a hfting of F, such that h* T = T'. 

(2) A substitution F' \- a' : A' is a good lifting of T h* cr : A if T' h and A' h are good 
liftings of r h* and A h*, rcsp., and a' is a lifting of a, such that F \-* a = a' : A. 

(3) A type T H ^' is a good hfting of T h* ^ if T' h is a good lifting of F h* and A' is a 
lifting of A, such that T A = A'. 

(4) A term F \- t' : A' is a good hfting oi F \-* t : A ii F' \- A' is a good hfting of T A 
and t' is a lifting of t, such that F \-* t = t' : A. 

Now we can prove that there is a good lifting for each syntactic entity; for proving this, we 
need the stronger condition that any pair of good liftings for some entity are judgmentally 
equal. 

Theorem 2.14. 

(1) Let F h*; then there is a good lifting F' \- ofF h*; moreover ifF" h is also a good lifting 
o/rh* then^F' = F". 

(2) Let r h* (7 : A; then there is a good lifting F' \- a' : A' of F \-* a : A; moreover if 
F" h a" : A" is also a good lifting of F \-* a : A then \- F' = F" ,\- A' = A", and 
F'ha' = a" : A'. 

(3) Let F h* A; then there is a good lifting F' \- A' o/ T h* A ; moreover if F" h A" is also 
a good lifting ofF\-* A then \-F' = F" and F' \- A' = A". 

(4) Let r t : A; then there is a good lifting F' \- t' : A' of F \-* t : A ; moreover if 
F" h t" : A" is also a good lifting of F h* t : A then \- F' = F" , F' \- A' = A", and 
F'\-t' = t" : A'. 

Proof. By induction on derivations, in each rule we use i.h., and build up the corresponding 
entity to the good lifting for each part of the judgement; then, given any other good lifting of 
the whole judgement, we do inversion on the definition of good lifting, and get the equalities 
for each part; we finish using congruence for showing that both good lifting are judgmental 
equal. 
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We show the case for (prf-tm). First we prove the existence of a good hfting. 

rh**:PrfA hypothesis (*) 

T\-* t : A by inversion on Q (f) 

r' h t' : A' by ind. hyp. is a good hfting of ([t| 

r' h [t'] : PriA' by (prf-i), is a good hfting ofQ 

Now we prove the second half of the theorem. 

T" \- s : B hypothesis, be other good hfting of ([t| (**) 

r" h B by inversion, good hfting of T h* Prf A 

T' h B" = PrfA' by ind. hyp. 

r' h [t'] = s : PrfA' by (prf-eq) and (cony). 

□ 

Corollary 2.15. The calculus (h*) is a conservative extension of{h). O 

Combining singleton types and proof -irrelevant propositions. For ihustrating the difficulties 
one can find when extending A'*^*^ with singleton types, consider a slightly different calculus 
where we drop the type annotation of the eliminator for proof-irrelevance terms; i.e. we 
would have 6 where t instead of 6 whereat. In the resulting system one can derive: 



'"Co:{co}n2 l"cf:{cf}N2 



h*:Prf{c^}N2 h*:Prf{cf}r 



I- X where [x] ^ *: {co}n2 ^ x where [x] ^ {ci}n2 



h X where [x] ^ * = Cg : {co}n2 I~ x where [x] ^ * = : {cf }n2 
h X where [x] ^ * = Cq : N2 \- x where [x] * = cf : N2 

Kcg = c?:N2 

This derivation shows that mixing the rule (sing-eq-el) with erasure of proof-terms leads 
to inconsistencies. It is yet unclear how to combine singleton types and erasure of proof- 
terms; we leave this topic for a future work. On the other hand, there are no problems 



in extending (h) with singletons types; in fact, we can construct (see Rem. 5.36) a model 
where |cq] / [cf], which assures 1/ Cq = cf : N2. 



3. Examples 



3.1. Safe vector projection in A . We give a short demonstration how to use proof 
irrelevance in A'*^*^: we define vectors and a type safe projection function. While de Bruijn 
style is good for implementation and reasoning, it is virtually unreadable for humans, so 
we allow ourselves named A-terms here which can be mechanically converted into actual 
terms of )\" . For instance, we write Fun A (x.B) instead of the de Buijn style Fun AB. For 
further convenience, let (x : A) ^ B = Fun A (x.B) and {x : A) x B = T, A (x.B). The 
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non-dependent versions are written A ^ B = {_: A) ^ B and A x B = A) x B . The type 
Vec A n of vectors of length n over element type A can be defined recursively as follows. 

Vec : (^:U) ^ (n:Nat) ^ U 

Vec = XAXn. natrec U Ni {Xn'XV. A x V) n 

A more suggestive notation for definitions by recursion is pattern matching; in this the 
definition of Vec reads as follows: 

Vec : (A:U) ^ (n:Nat) ^ U 

Vec A zero = Ni 

Vec A (sue n') = Ax Vec A n' 

In the following, we use pattern matching as syntactic sugar for natrec. Our language 
already has booleans, so let us define comparison of natural numbers. 

leq : (m: Nat) (n: Nat) Bool Bool = N2 

leq zero n = true true = Cg 

leq (sue m) zero = false false = c\ 
leq (sue m) (sue n) = leq m n 

By refiecting booleans into U we can obtain witnesses of propositions. 

True : (6: Bool) U 
True true = Ni 
True false = Nq 

True (leq m n) is inhabited if m ^ n, because then True (leq m n) simplifies to Ni with 
trivial inhabitant Cq. If not m ^ n then True (leq m n) simplifies to the empty type Nq. A 
proposition Lt for "less than" is obtained as: 

Lt : (m : Nat) (n : Nat) U 
Lt run = True (leq (sue m) n) 

We are now ready to define a safe projection operation for vectors. 

lookup : (^: U) (n:Nat) (m:Nat) (p:Prf (Ltmn)) (^;: Vec A n) ^ A 

lookup A zero m p v = magic 

lookup A (sue n) zero p v = htv 

lookup A (sue n) (sue m) p v = lookup An mp (snd v) 

Since Lt (sue m) (sue n) = Lt m n we can simply pass p to the recursive call in the last 
equation. In the first line we have to magically conjure an element of A from a proof 
p : Prf (Lt m zero) = Prf (True (leq (sue m) zero)) = Prf (True false) = Prf Nq. 

magic : (y4:U) ^ (p:Prf Nq) A 
magic yip = case" where [q\ <r- p 

This is well typed since all inhabitants of Nq are equal, thus, the Awodey-Bauer rule 
(prf-el) is applicable. 

The benefit of proof irrelevance is that now for any p,q : Lt mn, lookup A n m p v = 
lookup A n m q V : A; ioi a more detailed discussion consult Werner [56] . 
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3.2. Isomorphisms in A . Any already irrelevant type is isomorphic to its Prf version, 
i.e., for A £ {Nq, Ni, Prf {^Ib} we have coercions 

(/) = Ax. [x] : A ^ Prf A 

ip = Ax. 2/ where [y] X : Prf A ^ A 

with ij) o (j) = Ax. X by (prf-/3) and (j) o ip = Ax. x by proof irrelevance. How do these 
coercions extend to higher types? For arbitrary A, B we have. 





: (x:Prf A) X Prf5 ^ 


> Prf ((x:A) X B) 




= Xp. [(a, b)] where [a] 


^ fst p where [b] ^ snd p 




: Prf ((x:y4) X S) ^ ( 


xiPrfyl) X Prf 5 




= Xq. ([fstp], [snd p]) where [p] ^ q 




: {{x:A)^PrfB)^ 


Prf ((x:^) ^ B) 




= A/. [Ax. ? where [y] ^ 


-fx] 




: Prf ((x:^) ^ 5) ^ 


{x:A) PrfB 




= A/Ax. [i^x] where [g] 





We would like to put y for the ? in (p , but this is not well typed, since we do not have 
y = z : B for arbitrary z. It seems that (p^ is not definable in A'*^*^, as it is not definable 
in computational lambda-calculus j'44| for an arbitrary monad Prf. Awodey and Bauer also 
have only cp^ : {{x:A) — > Prfi?) — > Prf ((xiA) — > PrfB), which is trivial. 
For arbitrary p : (x: Prf A) x Prf we have 

(■0^ o (j)^){p) =fs {[a], [b]) where [a] <r- fst p where [b] <r- snd p 
=r, (fst p, snd p) =r, p. 

In the opposite direction, cfP o = Xq. q by proof irrelevance. Thus, cj) and ij) establish an 
isomorphism, which means that Prf distributes over S. 

3.3. On subtyping in A^'"^. Subtyping can be defined in several ways, for instance, ^ is a 
subtype of A' in F, written F h ^ <: A' ^ iff F,x:^ h x:A'. Most presentations of singleton 
types include subtyping [lOl [22l [5l] , so it is natural to ask whether the usual rules hold 
in our calculus. Using the principle u = t : A iS u : {t} a, it is easy to see that we have 
Aspinall's two axioms [10]: 

X ■ {t}A l~ X : A 

X : {t}A I- X : {t}{t}A since x = t : {t}A 

Also, singleton formation is compatible with subtyping, if T h A <: B then F h {t}A <■ 
{t}B- Contravariant subtyping, however, only holds up to //-equality. If we relax the 
definition of subtyping F h A <: ^4' to F, x : j4 h r]{x) : A' where rj{x) denotes any r]- 
expansion of x, then we get contravariant subtyping 

T,x:A'hriA(.x) : A T,x:A',y:B[7]A{x)/x]hr]B{y) : B' 
rj:{x:A)^Bh Xx.7]B{f(VA{x))) : {x:A') ^ B' 
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Furthermore, we have following two axioms, which hold definitionally in Stone and Harper's 
system [5l] 

f ■ {t}{x:A)-^B I" Xx. f X : {x:A) ^ {tx}B since f = t : {x:A) ^ B 

f : {x:A) ^ {tx}B l~ -^a^- / : {i}(a':yl)-s>_B since / x = t x : i? 

The first axiom is one of Courant's subtyping rules [22J. 

4. From Untyped to Typed Normalisation by Evaluation 

In this section, we give a short introduction into normalisation-by-evaluation for typed 
lambda calculi, with a special emphasis on our novel method for generation of fresh identi- 
fiers during reification. 

4.1. Fresh Name Generation in NbE. The basic idea of NbE is to evaluate a term 
of type A into a suitable semantics {Aj from which its normal form can be extracted by 
reification. In case of the simply-typed lambda-calculus, this is possible if we choose for 
base types [o] the set of terms of type o and for function types [vl — i?] a suitable subset 
of the function space {AJ — )• . During reification of a function / G |^ — t- -B] to a term 
Xx.t, the identifier x has to be chosen fresh to avoid capture of names in the body of the 
function /. However, since / is a semantic object, it is a non-trivial problem to compute a 
name which is fresh for /. Garillot and Werner [27] solve it by first letting x be a dummy 
identifier, computing the free variables in the reified function body t, and then reify / again 
with a name x which is fresh for t. This is, of course, horribly inefficient, and there are other 
solutions. In the original publication on NbE by Berger and Schwichtenberg [16], base types 
[o] = A are interpreted by term families. These are functions g from the natural numbers 
into a de Bruijn level representation of terms such that all instances g{n) are a-equivalent 
but in g{n) the bound variables are levels starting with n. In this setting, the reification 
of a function / G |j4 — )• is not a term but a term family, mapping / to the term family 
n I— )■ Xxn.4'{f{x^)){n + 1), where (p denotes the reification function and x^ is the variable 
Xn seen as an element in {Aj. Note that every A in (j){f{x^)){n + 1), the body of the reified 
abstraction, will bind a variable from the set {x„+i, Xn+2, ■ ■ •}• 

When considering NbE for the untyped lambda calculus, the type semantics collapses 
to a single domain D = A + [D — )• D] which contains terms and functionsj^ as observed by 
Filinski and Rhode |26) . Aehlig and Joachimski [8] replace term families by functions h 
from natural numbers to a de Bruijn index representation of terms, where h{n) shifts all 
free indices by n. 

In this paper, instead of having term families A in the semantics, we have a notion 
of neutral ("term-like") value built up from free variables Xi and application of the free 
variables to sequences of values d. The free variables are de Bruijn levels in spirit, thus, 
no shifting is needed, just like in the locally nameless approach [49]. The second author 
has given a semantics with neutrals before |20j . calling the free variables generic values. 
Also, this approach has been used by the first two authors together with Dybjer [5] for NbE 
without a reflection operation, and independently by Loh, McBride, and Swierstra [35]. In 



Let us notice here the tagging introduced by the disjoint sum operator +. Indeed, in the absence of a 
type structure, tagless normalisation seems impossible. 
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this article, we put the technique to a novel use by defining typed reification and reflection 
for this semantics. 

4.2. Untyped NbE. Let Var = {xo,xi, . . . } be a denumerable set of variables. We con- 
sider a set D and a notion of function space [D — t- D] with an embedding constructor 
Lam : [[D — )• D] — D] and two further constructors Var : Var — D and App : [D x D — )• D] 
for neutral values. An application function _ • _ : [D x D — t- D] is given by 

(Lam/)-d = f{d) 

e ■ d = App(e, d) if e not a Lam. 

Such a D can be realised by solving the recursive domain equation D = [D — )• D] © Var_|_ © 
(D X D) or, for the practically minded, by defining a Haskell data type 

data D where 

Lam : (D -> D) -> D 
Var : Var -> D 
App : D -> D -> D 

and programming _ • _ by pattern matching. Our definition of D is a bit "too big" since it 
does not restrict App to the construction of neutral values App(. . . App(Varxi, di) . . . 
but we have also App(Lam /, d). However, we can ignore these unwanted elements since our 
NbE algorithm never produces any. 

Remark 4.1. The relationship between the denotational model D and the Haskell data type 
D is not without subtleties. Domain theoretic functions such as application _ • _ correspond 
to Haskell programs if our denotational semantics is computationally adequate for Haskell's 
operational semantics [H]. Filinski and Rhode [26] formally relate a NbE function on a 
reflexive domain D to a NbE program written in an ML- like, call- by- value language, by 
exploiting computational adequacy. We do not formally prove this connection for Haskell 
in this article, this is deferred to future work. 

Untyped NbE is now given by a standard evaluator [t]/0 G D of terms t in environments 
p and a readback function Rj d from values d at de Bruijn level j to terms [31] ■ For the sake 
of readability, we use names instead of de Bruijn indices in the syntax of untyped terms. 

lx\p = p{x) Rj(Varxi) = Xi 

lrs\p = Hp-Wp R,-(App(r,s)) = (Rjr)(R,-s) 

l\x.t\p = L^m{d^lt\p[d/x\) Rj(Lam/) = Axj. R^+i (/(Varxj)) 

To normalise a closed term t, compute Rq To normalise an open term t with free 
variables yo, ■ ■ ■ Un-i compute R„ with environment p{yi) = Varxj. 

To prepare for applying our method to A^'"^ and A'*^*^, let us switch to de Bruijn repre- 
sentation. Environments become tuples and variables de Bruijn indices Vj. 

|q|(/),d) = d Rj(Varxi) = Vj_(i+i) 

itpjip,d) = Itjp 

Irsjp = Mp-lsjp R,(App(r,s)) = (R,r)(R,s) 

IXtjp = l3m{d^ltj{p,d)) R,(Lam/) = A (R,+i (/(Varx,))) 

To read back a de Bruijn level Var Xi as a de Bruijn index, we have to take the current length 
j of the variable context into account. While de Bruijn levels are absolute references, they 
are numbered xq, xi, . . . , xj-i in a context of length j, de Bruijn indices are relative to the 
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length of the context, they are enumerated from right to left: Vj_i, . . . , vi, vq. The formula 
j — {i + 1) (assuming i < j) converts level i into the corresponding index. 

4.3. Typed NbE. While untyped NbE returns a /3-normal form (if it exists), typed nor- 
malisation by evaluation yields a /3r/-normal form, usually the ?7-long form. To obtain the 
r/-long form, we have to modify our reification procedure. One method is to make read- 
back type directed , which corresponds to postponing T/-expansion after /3- normalisation. 
However, this strategy is not sufficient in the case of A^'"^, because r/-expansions at single- 
ton types can trigger new /3-reductions. The other method is to divide r/-expansion into 
reflection and "reification", the first expanding variables to enable new reductions, and the 
second expanding the result of /3-normalisation to obtain an r/-long formj^ 

The novel approach of this article is to do reflection f and "reification" ^, hence, t]- 
expansion, completely at the level of the semantics D. Since our value domain D allows us 
to construct functions via Lam, the process of j^-expansion is independent of any fresh name 
considerations. 

to e = e d = d 

tA^B e = Lam (d ts App(e,i^(i)) Ia^b d = Lam (e (^^ • (t^ e))) 

To compute the long normal form of a closed term t of type A, run Rq (i^ [t]). For an open 
term yo :^o, • • • , Vn-i-An-i h t : A, execute R„ (i^ where p{yi) = t^, (Varxj). 

5. Semantics 

In this section we define a domain D for denoting types, terms, and substitutions. Then we 
introduce a partial function Rj for reifying elements of the domain into the calculus; this 
function takes an extra argument j G N indicating the next free variable. We continue by 
defining PERs over the domain; these PERs denote the axioms for types, terms, and substi- 
tutions. We need PERs for the evaluation function is defined over syntactical entities and 
not for typing judgements. We also introduce PERs Mf and Me whose elements are invari- 
ably, in every context, reified as normal forms and neutral terms respectively. Using these 
PERs we define a family (indexed by denotations of types) of functions for "normalising" 
in the domain. We conclude this section proving completeness for this family of normalisa- 
tion functions; here completeness means that two terms in the theory are read back as the 
same normal form. In this section we define a PER model of the calculus presented in the 
previous section. The model is used to define a normalisation function later. 



In tagless normalisers 16 , reflection is necessary to inject variables x : A oi non-base types A into the 
semantics fAj. However, for languages beyond pure type systems it is hard to obtain tagless normalisation. 
Classic is the problem of disjoint sum types [S]: to display a free variable of type A + B as either a left 
or a right injection, we need control structures [12]. Alternatively, one can replace data types by their 
Church encodings. None of these approaches flt our purposes, thus, we are currently not aiming at tagless 
normalisation. 
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5.1. PER semantics. In this subsection we introduce the abstract notion of PER models 
for our theory. This subsection does not introduce any novelty (except for some notational 
issues). We refer the reader to [42j for a short report on the historical developments of PER 
models. 

Definition 5.1 (Partial Equivalence Relations). A partial equivalence relation (PER) over 
a set ^ is a binary relation over A which is symmetric and transitive. 

If 7^ is a PER over A, and (a, a') G TZ then it is clear that (a, a) G TZ. We define 
dom{Tl) = {a & A \ {a,a) £ TZ}; clearly, TZ is an equivalence relation over dom{TZ). If 
{a, a') G TZ, sometimes we will write a = a' G TZ, and a G 7^ if a G domiTZ). We denote 
with PER(^) the set of all PERs over A. Given two PERs TZ and TZ' over A, we say TZ is 
included in TZ' if (a, a') G TZ implies (a, a') G TZ'; we denote this inclusion with TZ C TZ' . 

If 7^ G PER(^) and F: dom{TZ) PER(^), we say that F is a family of PERs 
indexed by TZ iff for all a = a' & TZ, F a = F a' . If is a family indexed by TZ, we write 
F:Ti^ PER(^). 

Definition 5.2 (Applicative structure). An applicative structure is given by a pair A = 
{A, ■), where ^ is a set and • is a binary operation on A. 

The following definitions are standard {e.g. \T0[ I21j ) in definitions of PER models for 
dependent types. The first one is even standard for non-dependent types {of. |l3]) and 
"F-bounded polymorphism" ([17]); its definition clearly shows that equality is interpreted 
extensionally for dependent function spaces. The second one is the PER corresponding to 
the interpretation of singleton types; it has as its domain all the elements related to the 
distinguished element of the singleton, and it relates everything in its domain. 

Definition 5.3. Let A be an applicative structure, X G PER(^), and F G X ^ PER(^). 

(1) n XF = {{f,f') \ f ■ a = f ■ a' £ F a, for aU a = a' G X}; 

(2) \a}x = {{b, b')\a = b£X and a = b' £ X}. 

Besides interpreting function spaces and singletons we need PERs for the denotation of 
the universe of small types, and for the set of large types; jointly with these PERs we need 
functions assigning a PER for each element in the domain of these universe PERs. Note 
that this forces the applicative structure to have some distinguished elements. 

Definition 5.4 (Universe). Given an applicative structure A with distinguished elements 
Fun and Sing, a universe {U, [_]) is a PER U over A and a family [.]: U ^ Per(^) with the 
condition that U is closed under function and singleton types. This means: 

(1) Whenever X = X' £ U and for all a = a' £ [X], F a = F' a' £ U, then FunXF = 
FunX'F' £U, with [FunXF] = 11 [X] {a^ [F a]). 

(2) Whenever X = X' £ U and a = a' £ [X], then Sing a X = Sing a' X' G U and 
[Sing a X] = |a|[x]. 

An applicative structure paired with one universe for small types and one universe for large 
types is the minimal structure needed for having a model of our theory. 

Definition 5.5 (PER model). Let A be an applicative structure with distinguished ele- 
ments U, Fun, and Sing; a PER model is a tuple {A,U,T, [-]) satisfying: 
iX) U <ZT £ PER{A), such that (T, [-]) and {U, [_] \u) are both universes, and 
(2) U G dom(T), with [U] =U. 
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In the following definition we introduce an abstract concept for environments: since 
variables are represented as projection functions from lists (think of q as taking the head 
of a list, and p as taking the tail), it is enough having sequences together with projections. 

Definition 5.6 (Sequences). Given a set A, a set A* has sequences over A if there are 
distinguished operations T : Pair -.A* x ^ fst : A* A*, and snd : A* ^ A 

such that 

fst (Pair a 6) = a 
snd (Pair ab) = b. 

Now we need to extend the notion of PERs over A to PERs over A* for interpreting 
substitutionsQ 

Definition 5.7. Let A be an applicative structure and let A* have sequences over A; 
moreover let X G PER(^*) and T £ X ^ PER(^). 

(1) 1 = {(T,T)}; 

(2) \J X I' = {(a, a') I fst a = fst a' £ X and snd a = snd a' £ T (fst a)}; 

Until here we have introduced semantic concepts. Now we are going to axiomatise the 
notion of evaluation, connecting the syntactic realm with the semantic one. 

Definition 5.8 (Environment model). Let {A,V(,'T, [_]) be a PER model and let A* have 
sequences over A. We call Ai = {A,U,T, [-],.4,*, |],^[]) an environment model if the eval- 
uation functions [_]_: Terms x A* ^ A and %-}-'■ Terms x A* ^ A* satisfy: 

%\dja = a [Ula = U 

%{)ja = T |Fun^5]a = Fun (|A]a) F, where F 6 = [S](Pair a 6) 

%a6ja = Mma) l{t}Aja = Sing (|t]a) HAja) 

%a,t)ja = Pair (Ha) (^a) {taja = Wd^la) 

%pja = fst a IXtja = /, where f-b = [tl(Pair a b) 

{apptuja = iltja) ■ iluja) 

|q]a = snd a 

Since no ambiguities arise, we shall henceforth write {aj instead of ^[c]]. 

Once we have an environment model M we can define the denotation for contexts. The 
second clause in the next definition is not well-defined a priori; its totality is a corollary of 
Thm. Ism 

Definition 5.9. Given an environment model Ai, we define recursively the semantic of 
contexts ([_]): Ctx PER(^*): 

(1) ([o]) = 1, 

(2) ([r.^]) = U([r])(a^[[Ala]). 

We use PERs for validating equality judgements and the domain of each PER for validating 
typing judgements. 

Definition 5.10 (Validity). Let A4 be an environment model. We define inductively the 
predicate of satisfability of judgements by the model, denoted with F J: 

^The reader is invited to think of 1 as the terminal object of the category of PERs over A* and PER 
preserving morphisms; looked this way our definition for 1 does not differ very much from others |10l 121) . 
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(1) o ^ iff true 

(2) T.A^iET^ A 

(3) T^AiEThA = A 

(4) A = A' iSTh and for all d = d' € ([F]), {Ajd = {A'jd' £ T 

(5) r\=t: AiST^t = t: A 

(6) r h t = : A iff r h A and for all d = d' £ ([F]), {tjd = {t'jd' £ [{Ajd] 

(7) rhcr:AiffrhcJ = cj:A 

(8) r h fj = fj' : A iff r A and for all d = d' £ ([F]), [aJd = {a'jd' £ ([A]). 
Theorem 5.11 (Soundness of the Judgements). Let M he a model. IfT h J, then T J. 
Proof. By easy induction on F h J. O 



5.2. A concrete PER model. In this subsection we define a concrete PER model over a 
Scott domain. The definition of the evaluation function is post-poned to the next subsection 
after introducing the NbE machinery. 

Definition 5.12. We define a domain 

D = Oe Var±_ ® [D ^ D] e {D x D) e {D x D) e O ® {D x [D ^ D]) ® {D x D) , 

where Var is a denumerable set of variables (as usual we write Xi and assume Xi ^ xj if 
i / j, for i,j £ N), E± = E U {_L} is lifting, O = {T}_l is the Sierpinski space, [D — )• D] 
is the set of continuous functions from D to D, © is the coalesced sum (this is the disjoint 
union where all the bottoms elements are identified), and D x D is the Cartesian product 
oiD [6j. 

An element of D which is not _L can be of one of the forms: 



T {d, d') for d,d' £D 

Var Xi U for Xi £ Var 

Lam/ Fund/ ior d £ D, and f £ [D ^ D] 

Appdd' S\ngdd' ior d,d' £ D. 



Elements of the form Var Xi and Appdd' are called neutral; in this section, we reuse the 
letter k to denote neutral elements of D. 

In order to define an environment model over D, we endow it with an applicative 
structure. Note also that D has pairing, letting us to take the set of sequences over D 
simply as D* = D with Paira6 = {a,b). We define application _ • _ : [D x D ^ D] and the 
projections fst, snd : [D ^ D] by 

f ■ d = if / = Lam /' then /' d else _L, 
fstd = if d = (di, 6^2) then di else _L, 
snd d = if d = (di, ^2) then d2 else _L. 

We define a partial function R _ : N — )■ -D — >• Terms which reifies elements from the model 
into terms; this function is similar to Gregoire and Leroy's read-back function [31j . 

Definition 5.13 (Read-back function). 

U = U Rj {Appdd') = app (Rj d) (R^ d') 

Rj(FunAF) = Fun (Rj A) (Rj+i (F(Varxj))) Rj(Lam/) = A(Rj+i (/(Varx^))) 
Rj (Sing d A) = {Rjd]^^x Rj (Varxj) = 
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As explained in Sect. 4.2, the reification of variables turns de Bruijn levels into de 
Bruijn indices. Note that in case j < i + 1 we return the 0th de Bruijn index just not to be 
undefined; we will come back to this later. 

The next PERs contain those elements of the domain D whose reification is defined 
for any context length. Moreover, their elements are reified as neutral terms and normal 
forms, respectively; allowing us to reason semantically about normal forms. Remember that 
t =T t' denotes that t is syntactically equal to t' and t € T. 

Definition 5.14 ((Semantic) neutral terms and normal forms). 

d = d' £ Me : <;=^ for all i £ N, Rid and Rj d' are defined and Rj d =Ne Ri d' 
d = d' G Nf : <^=^ for all i G N, Rid and Rj d' are defined and Rid =j\ff Rj d' 



Notice that if the case j < i + 1 were undefined in the clause for variables in 5.13, then for 
any m the application Rq Varxm would be undefined; hence Varxm AAe and, consequently, 
A/e would be empty. Since we depend on having a semantic representation of variables and 
neutrals we add the case j < i + 1. This case will not arise in our use of the readback 
function. 

Remark 5.15. These are clearly PERs over D: symmetry is trivial and transitivity follows 
from transitivity of the syntactical equality. 

Lemma 5.16 (Closure properties of Me and Mf). 

(1) U = U G Mf. 

(2) Let X = X' e Me. If F ■ k = F' ■ k' e Mf for all k = k' e Me, then Fun AF = 
funX'F' £Mf. 

(3) Ifd = d'eMf and X = X' £ Mf , then Sing d A = Sing d' A' G Mf . 

(4) Iff.k = f'-k'£ Mf for all k = k' £ Me, then f = f £ Mf . 

(5) Varxj = Varxj G Me for all i G N. 

(6) Ifk = k'£Me and d = d' £ Mf , then App kd = App k' d' £Me. 

We define U,T £ PER(L>) and [_] : dom{T) PER(L») using Dybjer's schema of 
inductive-recursive definition [25j. We show then that [_] is a family of PERs over D. 

Definition 5.17 (PER model). 

(1) Inductive definition oiU £ PER(D). 

(a) Me C U, 

(b) ax = X' £U andd = d' £ [X], then SingdX = Smgd' X' £ U, 

(c) a X = X' £ U and for aU d = d' £ [X], F d = F' d' £ U then FunXF = 
FunX'F' G U. 

(2) Inductive definition of T G PER(D). 

(a) U(^T, 

(b) u = u G r, 

(c) if X = X' G r, and d = d' £ [X] then Sing d A = Sing A' G T, 

(d) if A = A' G r, and for ah d = d' £ [A], F d = F' d' £ T, then FunAF = 
FunA'F' G T. 

(3) Recursive definition of [_] G dom{T) — >• PER(L'). 

(a) [y}]=u, 

(b) [SingdA] = {{4}[x], 

(c) [¥uuXF] = Y{[X]{d^[F d]), 
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(d) [d] = J\fe, in all other cases. 

Remark 5.18. The generation order C on T is well-founded. The minimal elements are 
U, and elements in Me; X \Z funX F, and for all d G [X], F d \Z funX F; and, finally, 
X C SlngdX. 

Lemma 5.19. The function [_] : dom(T) — )• PER{D) is a family of PER(D) overT, i.e., 
[_] -.T^ PER{D). 



Proof. By induction on X = X' €z T. See Appendix C.l D 



The previous lemma leads us to the definition of a PER model over D. Note also that 
D has all the distinguished elements needed to call it a syntactical applicative structure. 

Corollary 5.20. The tuple {D,l(,T, [-]) is a PER model. □ 



5.3. Normalisation and ?7-Expansion in the Model. In the following, we adopt the 
NbE algorithm outlined in Section |4] to the dependent type theory A^'"^. Since read-back 
has already be defined, we only require reflection, reification and evaluation functions. 

Definition 5.21 (Reflection and reification). The partial functions t_-;i_- : [-D — s- [-D — s- 

D]] and J| : [£) — t- are given as follows: 

tpunXF^ = '-am(dh^tFd(AppA; ixc^)) ifunxpd = Lam (e ^ (d • fx e)) 

tsingdx^ = d isingdxe = ix d 

tu^ = ^ iud = il-d 

tx ^ — ^1 ™ other cases. J-x ^ = 6> other cases. 

4(Fun X F) = Fun (4 X) [d ^ ^{F \x d)) 
^(SingdX) = Singa^ d) (^X) 
4U = U 

J|X = X, in all other cases. 

In the following lemma we show that reflection f corresponds to Berger and Schwichtenberg's 
"make self evaluating" and both reification functions \. and JJ- correspond to "inverse of the 
evaluation function" [16]. Note that they are indexed by types values instead of syntactic 
types, since we are dealing with dependent instead of simple types. 

Lemma 5.22 (Characterisation of t, i, and -IJ-). Let X = X' £ T, then 

(1) ifk = k' eMe then tx ^ = tx' ^' e [^]; 

(2) ifd = d'£ [X], then ixd = ix' d' G Mf ; 

(3) and also i}, X = i^. X' £ Mf . 



Proof By induction on X = X' G T. See C.2 □ 
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Let US recapitulate what we have achieved: we have defined a PER model over the 
domain D; then we defined a family of functions indexed over denotation of types with 
the property that when applied to elements in the corresponding PER we get back elements 
which will be reified as normal forms. In fact, we have the stronger result that whenever 
we apply Ix to two related elements d = d' G [X] we get elements to be reified as the same 
term. 

Now we define evaluation which clearly satisfies the environment model conditions in 



Def. 5.8 hence, we have a model and, using Thm. 5.11 we conclude completeness for our 



normalisation algorithm. 

Definition 5.23 (Semantics). Evaluation of substitutions and terms into D is defined 
inductively by the following equations. 

Substitutions. 

lojd = T lidld = d 

lh,md={l^jd,ltjd) [pld = fstd 

t6]d=t}md) 

Terms (and types). 

|U]d= U l\=unABjd= Fun (|A]ti) (e ^ lBj{d,e)) 

l{a}Ajd = Sing ilajd) HAjd) [app t ujd = {tjd ■ {ujd 

IXtjd = Lam {d' ^ md, d')) It^jd = im^jd) 

Iqjd = snd d 

Theorem 5.24 (Completeness of NbE). Let T \- t = t' : A and let also d G ([T]), then 

kAjdlt}d = iiA}d It'jdeMf. 



Proof. By Thm. 531^ we have {tjd = {t'jd G [lAjd] and we conclude by Lem. 5.22 □ 



5.4. Calculus A''^'^with proof irrelevance. We extend all the definitions concerning the 
construction of the model. 

Definition 5.25 (Extension of domain D). 

D = . . . ® D X [D ^ D\® D ® D 

®0®0®D®[D^D]xDyi[D^[D-^D]\yiD 
®D®0®n®nxn®nx[D ^ D]xD'^ X D . 
We use the following notations for the injections into D: 

Sum dF Fstd, Sndd for d e D, F e [D D] 

zero Nat * 

sued Prf d for d e D 

Nn c" fori,nGN 

Natrec{F,d,g,d') for d,d' e D, F e [D ^ D], g £ [D ^ [D ^ D]] 

Casd'(F, d, d!) for d, d' G L>, F G [L> ^ L>], dG L>'^, n G N 
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In this extension, the injections Fst, Snd, Natrec, and Case construct neutral elements k. 
Soundness for the calculus (h*) requires the canonical element for proof-irrelevant types {*) 
to be in every PER; thus we need to redefine application _ • _ to have * S [Fun X F]: 

•k ■ d = -k . 

We also redefine the projections fst and snd to account for neutrals and because they are 
used in the definition of ]J XF, which will be used as the denotation of sigma types. 



fst d 



di 

Fst d 



\i d= {di, d2) 
\i d = -k 
otherwise 



snd d 



d2 if d = (di, (i2) 
★ if d = ★ 

Snd d otherwise 



Definition 5.26 (Read-back function). 

Rj (SumXF) = Y.{RjX) 

(R,+i(FVarx,)) 
Rj Nat = Nat 
Rj zero = zero 
Rj (sued) = sue [Rj d) 
Rj. (Prfd) = Prf (Rjd) 
Rj {Hn) = N„ 

Rj(Caser'(F, (do,..-,d 



Rj {d, d') 
Rj (Fst d) 
Rj (Snd d) 
R, (Natrec(F,d, /,e)) 



R. 



R,* 



.e)) 



[Rj d, Rj d') 
fst {Rj d) 
snd (Rj d) 

natrec (Rj+i {F Varxj)) 
{R,d) (R,/) (R,e) 



{Rjdn-i) {Rje) 



\j yx-a^^ y± , \u,u, . . . , u,„_i/, oy; — cas^ (^j+i ^ar Xj)) {Rj do) 

We define inductively new PERs for interpreting naturals and finite types. Note that Co 
and Ci are irrelevant, in this way we can model r/-expansion for Nq and Ni; \X\ is also 
irrelevant, even when X distinguishes its elements. 

Definition 5.27 (More semantic types). 

(1) M is the smallest PER over D, such that 

(a) AAe C 

(b) zero = zero G TV 

(c) sue d = sued' G M, if d = d' £ M 

(2) If A- G PER(D) then \X\ := {{d, d') \ d,d' e dom{X) U {*}} G PER(L>). 

(3) Co = |0| = {(*,*)}, 

(4) Ci = \{cl}\ = {{d,d') \ d,d' G {*,cl}}, 

(5) Cn = {(cf ,c^) \i<n}UAfe, for n ^ 2. 

We add new clauses in the definitions of the partial equivalences for universe and types, 
these clauses do not affect the well-foundedness of the order C defined in 5.18, but now we 
have that N„ and Nat are also minimal elements for that order. 

Definition 5.28 (Extension oiU and T). 

(1) Inductive definition ofU € PER(L>). 

(a) U X = X' £ U, and for all d = d' £ [X], Fd 
SumX'F' eU. 

(b) Nat = Nat G K, 

(c) N„ = N„ G U, 

(d) ax = X' £U, then Prf X = Prf X' G U. 

(2) Inductive definition of T G PER(D). 



F'd' G U, then SumXF 
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(a) U X = X' e T, and for all d = d' e [X], Fd = F' d' G T, then SumXF = 
SumX' F' G r. 

(b) if X = X' G r, then Prf X = Prf X' G T. 
(3) Recursive definition of [_] G dom{T) PER(i:»). 

(a) [Sum XF]=\[ [X] {d ^ [F d]), 

(b) [N„] = Cn 

(c) [Nat] =Af, 

(d) if X G dom{T), then [PrfX] = {(★,*)}. 

Note that in the PER model, all propositions Prf X are inhabited. In fact, all types are 
inhabited, for there is a reflection from variables into any type, be it empty or not. So, the 
PER model is unsuited for refuting propositions. However, the logical relation we define in 
the next section will only be inhabited for non-empty types. 

Remark 5.29. It can be proved by induction on X G T that ★ G [X]. 



Definition 5.30 (Reflection and reification, cf. 5.21). 
tsumXF^ = (txFst/c,tF(txFstfc)SndA;) isun^xpd = (ixfst(i,i^(fstd)sndd) 

twat ^ = ^ iNat^ = d 

Ino k = -k d = -k 

Ini k = Cq Im^ d = Cq 

Tn,. k = k for n ^ 2 l^^d = d 

ij. Sum XF = Sum (J| X) {d ^ ij.{F fx d)) J| Nat = Nat 

4N„ = N„ ^PrfX = Prf (^X) 

For giving semantics to eliminators for data types we need to define partial functions natrec : 
[D ^ D] X D X D X D ^ D, and case : [D ^ D] x D x D x D ^ D. 

Definition 5.31 (Eliminations on D). 

(1) Elimination operator for naturals. 

natrec(F, d, /, = * 

natrec(F, d, /, zero) = d 

natrec(F, d, /, suce) = (/ • e) • natrec(F, d, /, e) 

natrec(F, d, f, k) = \f k (Natrec(d' J| F d', 

zero d, 

Lam d' ^ (Lam e' ^ ip (s^cd') f ' d' ■ e'), 
k)) 

(2) Elimination operator for finite types. 
case"(F, (do, . . . ,dn-i),*) = * 

case"(F, (do, . . . , d„-i), = di 
case"(F,(c^,...,c^i),d) = d 

case"(F, (do, . . .,dn-i),k) = If fc Cas^(e ^ i^F e, {ip do,...,iF c^_-^ dn-i), k) 
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Remark 5.32. If for all d = d' G A/", F d = F'd! G T, and z = z' [F zero], and for all 
d = d' £ JV and e = e' £ [F d], s ■ d ■ e = s' ■ d' ■ e' £ [^(sucd)], and d = d' £ N then 
natrec(F, z, s, (i) = natrec(F, z, s, d') £ [F d]. 

With these new definitions we can now give the semantic equations for the new con- 
structs. 

Definition 5.33 (Extension of interpretation). 





Sum(|^]fi) {d' ^ lBj{d,d')) 


IN„ld = 


N„ 


[Natld = 


Nat 


[Prf^]d = 


Prf {Ajd 


|fst t\d = 


fst {tjd 


[snd t\d = 


snd {tjd 


[{t,t')\d = 


md, im 


[zerojd = 


zero 


natrec B z s t\d = 


natrec(e^ [i?l(d,e),Hd, {sjd, {tjd) 


[sue t\d = 


sue Itjd 


l[a]\d = 




Hd = 




[twhere^ t\d = 


Mid,*) 


icnd= 




[casd* BtQ-- 


■tn-i tld = case"(e^ lSl(d,e),(|told, 


. . , Itn-ljd 


, md) 



Lemma 5.34 (Laws of proof elimination). f3, rj, and associativity for where are modeled by 
the extended applicative structure. 



Proof. See C.3 □ 



Remark 5.35. All of lemmata 5.19 5.22, and theorems 5.11, and 5.24 are valid for the 
extended calculus. 

Note that we have defined a proof-irrelevant semantics for (h*) that collapses all ele- 
ments of Prf A to -k, which leads to a more efficient implementation of the normalisation 
function. However, this semantics is not sound if A'*^*^ is extended with singleton types inter- 
preted analogously to Ci, i.e., [SingdX] = because it does not model (sing-eq-el). 
(We have d = -k £ [SlngdX] for all d £ [X], but not necessarily d = -k £ [X].) On the 
other hand. A''"'' without ★ can be extended to singleton types as explained in the following 
remark. 

Remark 5.36 (Extending A''"'' by singleton types). Singleton types can be added straight- 
forwardly if we employ a proof-relevant semantics: 

The domain D is not changed; in particular we have -k £ D, and it is readback as before, 
Rj -k = kr] hence * £ dom{Nf). 

All the enumerated types are modelled in a uniform way: [N„] = {(c", c") | i < n}uA/'e; 
proof- irrelevance types Prf A are interpreted as the irrelevant PER with the same domain 
as the PER for A: [Prf X] = {{d, d') \d,d' £ dom{[X])}. Reflection and reification for Prf X 
are defined respectively as 

1'Prfxd = 1-xd and |p^f^d = * . 

With these definitions it is clear that the corresponding result for Lem. |5.22| is still valid. 

Since dom{[Prf X]) = dom{[X]), introduction and elimination of proofs can be inter- 
preted as follows 

[[a]]d=[ald and lb^Nher^ tjd = lbj{d,ltjd) ; 
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this model is sound with respect to the calculus (h) extended with singleton types; hence 
Thm. [Oil is valid. 

Remark 5.37. As was previously said we cannot use this PER model for proving that 
there is no closed term in Nq. Instead, one can build up a PER model, in the sense of 5.1 of 
closed values, where [Nq] = 0. By soundness (Thm. 5.11) it follows that there is no possible 
derivation of h i : Nq. 



6. Correctness of NbE 



In Thm. 5.24 we have proved that the NbE algorithm is complete with respect to the 
judgemntal equality of our calculi; a corollary of that fact is totality of NbE. 

Remark 6.1. Let T \- t : A. Given some d G ([F]), we can conclude is a 

well-defined term in normal form. 

In this section we prove correctness, with respect to the typing rules, for our NbE 
algorithm. This means that given a typing T h t : A, when NbE is applied to t, the 
resulting normal form v, is provable equal to t; i.e. T h t = v : A. 



Let us anticipate the main results of this section. As a corollary of Thm. 6.11 we show 
that a term is related to its denotation with respect to some canonical environment (to be 



defined in Def. 6.12). Previously we prove in Lem. 6.6 that if a term is logically related 



with some semantic element, then its reification will be judgmentally equal to the term. 
Composing these facts we obtain correctness. As a consequence of having correctness and 
completeness for NbE, one gets decidability for judgmentally equality: normalise both terms 
and check they are syntactically the same. Another important corollary is injectivity for 
constructors. 



6.1. Logical relations. In this subsection we define logical relations and prove some techni- 
cal lemmas about them. As is standard with logical relations one defines them by induction 
on types (here we define by induction on semantics of types, i.e. elements of 7~) and for 
basic types they are defined by prescribing the property to be proved; while for higher order 
types they are defined using the relations of the domain and image types. 

Definition 6.2 (Logical relations). We define simultaneously two families of binary rela- 
tions: 

(a) If r h then (ri-_~_G7')^{A|ri- A} x T shall be a F-indexed family of relations 
between well-formed syntactic types A and type values X. 

(b) If F h yl ~ X G r then (F h _ : A ~ _ G [X]) O {t \ T h t : A} x [X] shah be a 
(F, A, X)-indexed family of relations between terms t of type A and values d in PER 
[X]. 

These relations are defined simultaneously by induction on X £ T. 

(1) Neutral types: X eJ\fe. 

(a) F h A ~ X G r iff for ah A F, A h ^ = R| a| -H X. 

(b) F h t : ^ ~ d G [X] iff F h ^ ~ X G r, and for all A F, A h t p* = R|a| ix d : 
Ap\ 

(2) Universe. 

(a) Fh A~ U GriffFh^ = U. 
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(b) r h t : A ~ X G [u] iff r h A = u, and r h t ~ X G r. 

(3) Singletons. 

(a) r\-Ar^SmgdX€TiST^A = {a}A' and T h a : ^' ~ d G [X]. 

(b) r h t : A ~ d' e [S\ngdX] iff T h yl = {a}^/ and T h t : A' ^ d € [X], and 

r h A' ~ X G r. 

(4) Function spaces. 

(a) r h ^ ~ FunXF G r iff r h A = Fun and r h A' ~ X G r, and A h 
B (p\ s) ~ G r for all A r and A h s : A' ~ d G [X]. 

(b) r h t : A ~ / G [Fun X F] iff T h ^ = Fun A' T h ^' ~ X, and A h app (t p*) s : 
B (pS s) ~ / • d G [F d] for all A T and A h s : A' p' d £ [X]. 

The following technical lemmata show that the logical relations are preserved by judgmental 
equality, weakening of the judgement, and the equalities on the corresponding PERs. These 
lemmata are proved simultaneously for types and terms. 

Lemma 6.3 (Closure under conversion). Let T \- A ^ X £ T and T \- A = A' . Then, 

(a) r h A' ~ X G r, and 

(b) ifTht: A^ d£[X] andTht = t' : A then T h t' : yl' ~ d G [X] . 



Proof. By induction on X G F. See C.4 O 

Lemma 6.4 (Monotonicity). Let A T, then 

(a) ifVhAr^XGT, then A h A p^ ~ X G F; and 

(b) ifVht: Ar^d£ [X], then A h t p^ : yl p* ~ d G [X]. 

Proof. By induction on X G F. See |C.5 □ 



Lemma 6.5 (Closure under PERs). Let F h ^ ~ X G F, then 

(a) ifX = X'£T, then F h A ~ X' G F; and 

(b) i/F h t : yl ~ d G [X] and d = d' G [X], then F h t : A ~ d' G [X]. 



Proof. By induction on X = X' G F. See C.6 □ 



The following lemma plays a key role in the proof of soundness. It proves that if a term 
is related to some element in (some PER), then it is convertible to the reification of the 
corresponding element in the PER of normal forms. 

Lemma 6.6. Let T h A X € T . Then, 

(a) Fh ^ = R|r| ^X, 

(b) z/ F h t : yl ~ d G [X] then F h t = R|r| Ix d : A; and 

(c) ifkeAfe and for all A ^' F, A h f p* = R|a| k : Ap\ then F h t : A ~ tx ^ [X] . 



Proof. By induction on X G F. See C.7 □ 



In order to finish the proof of soundness we have to prove that each well-typed term 
(and each well-formed type) is logically related to its denotation; with that aim we extend 
the definition of logical relations to substitutions and prove the fundamental theorem of 
logical relations. 

Definition 6.7 (Logical relation for substitutions). 
(1) FI-cr:o~dGl always holds. 
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(2) r h {(T,t) : A.A~ {d,d') E u [F d]) iff r h c7 : A ~ dE A', rh F r, 

and r h t : ^cj ~ E [F d]. 



By the way tliis relation is defined, the counterparts of 6.3, 6.4 and 6.5 are easily proved 
by induction on the co-domain of the substitutions. 

Remark 6.8. If T h 7 = 5 : A, and T h 7 : A ~ d E A", then rh5:A~dEA'. 
Remark 6.9. Ifrh5:A~dEAf, then for any G T, 9 h : A ~ d E X. 
Remark 6.10. If F h 7 : A ~ d E Af, and d = E Af, then T h 7 : A ~ d' E Af. 

Theorem 6.11 (Fundamental theorem of logical relations). Let A h : F ~ d E ([F]). 

(1) IfVh A, then A H A(5 ~ [A\d E T; 

(2) ifV^t: A, then A h t(5 : ^5 ~ lt\d E [lA\d]; and 

(3) i/ F h 7 : e then A h 7 5 : 6 ~ ^d E 



Proof. By mutual induction on the derivations. See C.9 



□ 



We define for each context F an element pY oi D. This environment will be used to 
define the normalisation function. 

Definition 6.12 (Canonical environment). We define pr by induction on F as follows: 

/Co = T 

Pt.a = (c^'i t[yi]cZ' Varx^) where n = |F|, and d! = pr- 

By an immediate induction on contexts we can check the following. 
Lemma 6.13. If TV- then F h idr : F ~ pr e ([r]). 



Proof. By induction on F h. See C.8 



□ 



6.2. Main results. Now we can define concretely the normalisation function as the com- 
position of reification with normalisation after evaluation under the canonical environment. 
The following corollaries just instantiate previous lemmata and theorems concluding cor- 
rectness of NbE. 

Definition 6.14 (Normalisation algorithm). Let F h ^, and T \- t : A. 
nber(^) = R|r| miPr 
nhe^{t) = R|r| ^^p^ |t]pr 



Notice that if we instantiate Thm. 6.11 with pi-, then a well-typed term t under F will be 



logically related to its denotation. Finally, using the key lemma 6.6 we conclude correctness 
for NbE. 

Corollary 6.15. Let F h and T \- t : A, then hy fundamental theorem of logical relations 



(and Lem. 6.3), 

(1) F h A ~ [A}pr E T; and 

(2) T^f.A^lilprempr], 



Corollary 6.16 (Soundness of NbE). By way of Lem. 6.6. it follows immediately 
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(1) Th A = nbe(yl), and 

(2) Tht = nbe(t) : A. 

We have now a decision procedure for judgmental equaUty; for deciding F \- t = t' : A, 
put both terms in normal formal and check if they are syntactically equal. 

Corollary 6.17. IfThA, and T h A', then we can decide T h A = A' . Also ifTht-.A, 
and T \- t' : A, we can decide T h t = t' : A. 

As a byproduct we can conclude that type constructors are injective; this result is 
exploited in the next section where we introduce the type-checking algorithm. Injectivity of 
Fun plays a key role in all versions of dependent type theory with equality as judgement; 
cf. Adams' [7] proof of equivalence between PTS with equality as a judgement and equality 
taken as a relation between untyped terms, improved by Siles and Herbelin [52]. 

Remark 6.18. By expanding definitions, we easily check 

(1) nber(Fun = Fun (nber(A)) (nber.A(^)), and 

(2) nber({a}A) = {nbeJ^(a)}nber{A)- 

Corollary 6.19 (Injectivity of Fun__ and of {_}_). If T h FunAB = funA'B', then 
r h A = A', and T.A h B = B' . Also T h {t}A = {t'}A', then T A = A' , and 
T^t = t' -.A. 



6.3. Calculus A'''''with proof irrelevance. In this section we introduce the logical rela- 
tions for the new types in }}" . We skip the re-statement of the results given for A^'"^ in 



6.1, instead we present in Appendix [C] the proof for some of the new cases arising in this 



calculus for each of lemmata 6.3 6.41 6.5, 6.6 and theorem 6.11 



Definition 6.20 (c/.[6^. 

(1) Sigma types. 

(a) r h yl ~ Sum X F iff T h yl = S yl' and T h A' ~ X and for ah A T and 
Ahs:yl'p^~dG [X], A h B' {p\ s) F d. 

(b) r h t : A ~ d G [Sum X F] iE T h A = A' B' and T h ht t : A' ^ fst d £ [X] and 
Thsndt: B' (idr, fst t) ~ snd d G [F (fst d)]. 

(2) Natural numbers. 

(a) r h A ~ Nat iff r h A = Nat. 

(b) r h t : A ~ d G [Nat] iff F h yl ~ Nat and for all A T, A h t = R|a| d : Nat. 

(3) Finite types. 

(a) rhyl~N„ifrrhy4 = N„. 

(b) r h t : yl ~ d G [N„] iff r h yl ~ N„ and for ah A T, A h t = R|a| d : N„. 

(4) Proof-irrelevance types. 

(a) r h yl ~ Prf X G r iff r h yl = Prf ^' and r h ^' ~ X G r. 

(b) r h t : A ~ d G [Prf X] iff r h yl ~ PrfX. 

Remark 6.21. 

(1) nheriY^AB) = S nber(yl) nber.A(-B); 

(2) nbep^-^((t,6)) = {nhe^{t),nhe^^'"^''\b)); 

(3) nbe(suc t) = sue nbe(t). 

(4) nbe(Prf^) = Prf nbe(yl). 
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Corollary 6.22. If T h AB = ^ A' B' , then F h A = A' , and T.Ah B = B' . 



7. Type-checking algorithm 

In this section, we define a couple of judgements that represent a bidirectional type checking 
algorithm for terms in normal form; its implementation in Haskell can be found in the 
appendix. The algorithm is similar to previous ones [201 H], ™ that it proceeds by analysing 
the possible types for each normal form, and succeeds only if the type's shape matches the 
one required by the introduction rule of the term. The only difference is introduced by the 
presence of singleton types; now we should take into account that a normal form can also 
have a singleton as its type. 

This situation can be dealt in two possible ways; either one checks that the deepest tag 



of the normalised type (see Def. 7.2) has the form of the type of the introductory rule; or 
one adds a rule for checking any term against singleton types. The first approach requires 
to have more rules (this is due to the combination of singletons and a universe). We take 
the second approach, which requires to compute the eta-long normal form of the type before 
type-checking. We also note that the proof of completeness is more involved, because now 
the algorithm is not only driven by the term being checked, but also by the type. 

Our algorithm depends on having a good normalisation function; note that this function 
does not need to be based on normalisation by evaluation. Also note that the second point 
asks for having correctness and completeness of the normalisation function. 

Definition 7.1 (Good normalisation function). 

(1) nbe({a}^) = {nbe(a)}nbe(A)i and nbe(Fun^i?) = Fun nbe(^)nbe(5) ; 

(2) nber(^) = nber(S) if and only ifT \- A = B, and nbep (t) = nbep (t'), if and only if 

rht = t' -.A. 

From these properties we can prove the injectivity of Fun which is crucial for completeness 
of type checking A-abstractions. 

7.1. Type-checking A^'"^. In this section, let V,V' ,W,v,v' ,w G Nf, and k G Ne. For 
obtaining the deepest tag of a singleton type, we define an operation on types, which is 
essentially the same as the one defined by Aspinall |10j . 



Definition 7.2 (Singleton's tag). 

ifV = {w}w 



V 



otherwise. 



The predicates for type-checking are defined mutually inductively, together with the function 
for inferring types. 

Definition 7.3 (Type-checking and type-inference). We define three mutually inductive 
algorithmic judgements 

r h y <^ in context F, normal type V checks 

T \- V V in context F, normal term v checks against type V 

T \- k ^ V in context F, the type of neutral term k is inferred as V. 
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All three judgements presuppose and maintain the invariant the input F is a well-formed 
context. The procedures T \- V and T h v ^ V expect their inputs V and v in /3-normal 
form. Inference T h k ^ V expects a neutral term k and returns its principal type V in 
long normal form. 

Well-formedness checking of types T \- V 

ThV^ T.VhW^ ThV^ Thv^nhe{V) T h k ^ U 



Type checking terms T h v V . 



rhFunFTy^U Xv ^funVW 

rhy^U Thv^ nbe(y) Thv^V T h v = v: V 
r h {v}v <= U Thv^ {v'jv 

Th k^V' ThV' = V 



V^{w} 



w 



Th k^V 
Type inference T \- k ^ V . 

Thk^V ThV = funV'W T h v ^ V' 



T.Ai. . . .^0 ^ Vi ^ nhe{Ai p'+^) T h app k v ^ nbe(M^ (id, u)) 

Bidirectional type checking for dependent function types is well- understood [201 ES] ; let us 
illustrate briefly how it works for singleton types, by considering the type checking problem 
{zero}|\iat l~ q <^ {zero}|\iat. Here is a skeletal derivation of this judgement, which is at the 
same time an execution trace of the type checker: 



{zerojNat ^ q ^ {zerojNat {zerojNat ^ {zero}Nat = Nat 

{zero}i\iat ^ q ^ Nat {zerojNat l~ q = zero : Nat 

{zerojNat ^ q <^ {zerojNat 
Since the type to check against is a singleton, the algorithm proceeds by checking {zerojNat l~ 
q <^ Nat and {zeroji\iat l~ q = zero : Nat. Now the type of the neutral q is inferred and 
its tag compared to the given type Nat; as the tag is also Nat, the check succeeds. The 
remaining equation {zerojNat ^ q = zero : Nat is derivable by (sing-eq-el). Of course, the 
equations are checked by the nbe(_) function; for example, by using our own function for 
normalisation we have nbe/,!* i (q) = zero = nbe^,^* i (zero). 

Theorem 7.4 (Correctness of type-checking). 

(1) IfVhV^, thenVhV. 

(2) IfThv^ V, then T^v.V. 

(3) IfTh k^ V, then Vrk-.V. 



Proof. By simultaneous induction onV \- V T \- v and T \- V ^ k. See C.IO □ 
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In order to prove completeness we define a lexicographic order on pairs of terms and 
types, in this way we can make induction over the term, and the type. 

Definition 7.5. Let v,v' G Nf , and A, A' G Type(r), then {v,A) -< {v',A') is the lexico- 
graphic order on Nf x Type(r). The corresponding orders are v ~< v' iS v is an immediate 
sub-term of v'; and A A', iff nhe{A') = {?y}nbe{A)- 

Theorem 7.6 (Completeness of type-checking). 

(1) IfThV, thenVhV^. 

(2) IfThv: A, then Thv^ nhe{A). 

(3) IfTh k: A, andTh k=^ V , then T h nhe{A) = V'. 

Proof. We prove these three statements simultaneously by well-founded induction on the 
order ^. The respective measures are (1) {V,U), (2) {v,A), and (3) {k,A). Details are in 
the Appendix [C.ll[ □ 



7.2. Calculus A''^'^with proof irrelevance. We give additional rules for type-checking 
and type-inference algorithms for the constructs added in Sect. |2.2[ Remember that we 
distinguished two calculi: the calculus (h*) has rules (nq-tm) and (prf-tm); while (h) 
lacks those rules. 

Definition 7.7 (Type-checking and type-inference). S-types. 

Thv^ r.vhw^ Thv^u r.vhw^u 



Th {v,v') ^j:vw 



Thhtk^V r h snd A: ^ nbe(Ty (idr, fst k)) 

Natural numbers. 

r h u <^ Nat 



r h Nat ^ r h Nat ^ U F h zero ^ Nat T h sue v ^ Nat 

r.NathF^ rhfc^Nat 
r h nbe(y (idr, zero)) T h v' <^ Fun Nat (Fun V nhe{V (p p, sue (q p)))) 



Finite types. 



r h natrec V vv' k => nbe(y (id. A:)) 

i < n 

r h N„ ^ r h N„ ^ u r h ^ n„ 

r.Nn^v^ rhk^Hn rhw, ^nbe(y(idr,cn) 
r h cas^ Vvo--- Vn-1 k =^ nhe{V (id , A;)) 
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Proof types. 

r h Prf r h Prf y ^ u r h H ^ Prfv 

ThW^ rhfc^Prfy r.Vhv^nhe{Wp) r.y.Fph up = ?;(pp,q) : VFpp 

Thv where^ k =^ W 

We do not show the proof for correctness, because nothing is to be gained from it; suffice 
it to say that we can prove correctness with respect to 

Theorem 7.8. The type-checking algorithm is sound with respect to the calculus h* . 

Proof. By simultaneous induction on the derivabihty of the type-checking judgements. □ 

It is clear that the given rules are not complete for checking because there is no 
rule for checking F h * <^ ^. Note that it is not possible to have a sound and complete 
type-checking algorithm with respect to for it would imply the decidability of type- 

inhabitation. Since type checking happens always before normalisation, we can still use 
a good normalisation function with respect to the calculus (h*) for normalising types or 
deciding equality. Indeed, if the term to type-check does not contain the need of checking 
T \- -k <^ V will never arise; this is clearly seen by verifying that only sub-terms are type- 
checked in the premises. 

Theorem 7.9. The type-checking algorithm is complete with respect to the calculus (h). 

Proof. By simultaneous induction on the normal form of types and terms, using inversion 
on the typing judgement and correctness of nbe(_). O 



Corollary 7.10. The type-checking algorithm is correct (by Thm. 7.8 and Cor. 2.15) and 
complete with respect to the calculus (h). 



8. Conclusion 

The main contributions of the paper are the definition of a correct and complete type- 
checking algorithm, and a simpler solution to the problem of generating fresh identifiers in 
the NbE algorithm for a calculus with singletons, one universe, and proof-irrelevant types. 
The type-checker is based on the NbE algorithm which is used to decide equality and to prove 
the injectivity of the type constructors. We emphasise that the type-checking algorithm is 
modular with respect to the normalisation algorithm. All the results can be extended to a 
calculus with annotated lambda abstractions, yielding a type-checking algorithm for terms 
not necessarily in normal forms. The NbE algorithm can be implemented fairly easily in 
Haskell ( cf. Appendix |A]) , but the correctness of the implementation depends on proving 
the computational adequacy of the domain semantics with respect to Haskell's operational 
semantics. We have not developed this proof in this article and leave it for to future work. 
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8.1. Related and Further Work on Singleton Types. Singleton types are used to 
model the SML module system and records with manifest fields |21| . 

Aspinall [lOj presents a logical framework with singleton types and subtyping and shows 
its consistency via a PER model, yet not decidability. The second author, Pollack, and 
Takeyama |21] extend the Aspinall's framework by r/-equality and records and a type check- 
ing algorithm which is correct wrt. the PER model. This work is unconventional since there 
is no complete syntactical specification of the LF in terms of syntax, typing and equality 
rules. Instead, in the style of Martin-Lof meaning explanations, they list a number of infer- 
ence rules which are valid in the semantics and prove that type-checked expressions evaluate 
to values of the correct semantic type. 

Courant [22] shows strong normalization for a variant of Aspinall's system with equality 
defined by reduction. He uses a typed Kripke model of strongly normalizing terms, a variant 
of Goguen's typed operational semantics [29] . 

Stone and Harper [5^ extend Aspinall's framework by sigma types and eta-equality, 
which allows them to reduce singletons at higher types to singletons at base type. Their 
decision procedure is type-directed, its completeness is shown via a Kripke model. Crary [23] 
gives a simplified decision procedure via hereditary substitutions and proves its correctness 
in Twelf, without the need for a model construction. His purely syntactical approach does 
not scale to universes, since he cannot handle types defined by recursion. Goguen [30] 
follows a similar agenda, he shows decidability for singleton types in the presence of eta by 
an eta-expanding translation into a logical framework with beta-equality only. He works 
with fully annotated terms in the sense of Streicher ^55jj. He stresses that his approach does 
not scale to computation on the type level. 

In the continuation of this work we want to investigate whether our type-checking 
algorithm can be simplified if we implement Stone and Harper's insight that singleton types 
at higher types can be defined in terms of singleton base types. Further, we would like to 
integrate subtyping in our calculus, which should not be too difficult, since the PER model 
already supports subtyping [lOl [21] . 

8.2. Related and Further Work on Proof Irrelevance. Pfenning [471 presents a logical 
framework with proof irrelevance that supports irrelevant function arguments, with function 
introduction rule (writing (x:Pri A) B in our syntax): 

r\- Xxt: (x:Prf A) B 

He proves decidability using erasure, mentioning that his technique does not scale to uni- 
verses. Elimination of irrelevance is implicitly handled by annotating variables to ensure 
proof variables (x-^A) appear only in proofs, in contrast to our explicit use of _ where [_] ^ _ 
in the style of Awodey and Bauer [11]. However, we believe that Pfenning's proof irrele- 
vance can be modeled via bracket types Prf A, with the weaker "monadic" rule for where 
(see section [2]). 

Barras and Bernardo's |13j presentation of proof irrelevant functions 
T,x:AhB T,x:Aht:B x FV(r) 
Th Xxt: (x:Prf A) B 

diverges from Pfenning's that they allow irrelevant variables x to be relevant in types B. 
(In t the variable x might only appear irrelevantly, expressed by the side condition that x 
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may not be free in the relevant parts t* of t.) Barras and Bernardo justify their calculus 
by erasing into Miquel's Implicit Calculus of Constructions (ICC) [41j. The ICC style 
irrelevance seems more expressive than Awodey and Bauer's or Pfenning's, but the exact 
relationship is unclear to us. 

Berger's Uniform Heyting Algebra [15] features uniform quantification {Vx}A (and 
to obtain optimized programs by extraction from proofs. A proof of a uniform 
universal 

Th M : A 
r h {V}+(AxM) : {ix}A 
may not mention term variable x in a computational relevant position. Since the shape of 
formulas does not depend on terms, Berger's calculus can be seen as logical counterpart of 
either Pfenning's or Bruno and Bernardo's type system. 

We see two interesting questions about the different approaches to proof irrelevance 
above: 

(1) How can Barras and Bernardo's ICC* be understood in terms of judgmental equality a 
la Pfenning? 

(2) How can ICC* and the calculus of Pfenning be extended to full bracket types a la 
Awodey and Bauer without explicit use of where. 
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Appendix A. Normalisation by evaluation 



type Type = Term 
data Term = U 

Fun Type Type 
Singl Term Type 
App Term Term 
Lam Term 

Q 

Sub Term Subst 
Sigma Type Type 
Fst Term 
Snd Term 
Pair Term Term 
Nat 
Zero 

Sue Term 

Natrec Type Term Term Term 
Prf Type 
Box Term 
Star 

Where Type Term Term 
Enum Int 
Const Int Int 

Case Int Type [Term] Term 
deriving {Eq, Show) 

E 
Is 

Ext Subst Term 
P 

Comp Subst Subst 
deriving {Eq, Show) 

type DT = D 
data D = T 

Ld {D D) 
FunD DT {D DT) 
UD 

SingD D DT 
Vd Int 
AppD D D 



data Subst 



universe 

dependent function space 

singleton type ({a}^) 

application 

abstraction 

variable 

substitution 

dependent pair type 

first projection 

second projection 

dependent pair 

naturals 



+1 

elimination for Nat 
proof (with proof irrelevance) 
a term in Prf A 
canonical element of Prf A 
Box elimination 
Enum n has n elements 
Const n i is the ith element 
elimination for Enum n 

empty substitution 
identity substitution 
extension 
weakening 
composition 

semantic types 

terminal object (empty context) 
function 

dependent function type 

universe 

singleton type 

free variable 

neutral application 
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SumD DT {D - 
PairD D D 
FstD D 
SndD D 
NatD 
ZeroD 
SucD D 
NatrecD {D 
PrfD DT 
StarD 
EnumD Int 
ConstD Int Int 
CaseD Int {D - 

[Type] 

D 

= d 

= StarD 
= FstD k 
= d' 
= StarD 
= SndD k 



DT) 



DT) D D D 



DT) [D] D 



type Ctx = 

pil , pi2 :: D ^ 
pil {PairD d d') 
pil StarD 
pil k 

pi2 {PairD d d') 
pi2 StarD 
pi2 k 

apy.D^D^D 

ap {Ld f)d=fd 
ap StarD _ = StarD 

neutralD :: D ^ Bool 
neutralD { Vd _) 

neutralD {AppD ) 

neutralD {FstD _) 
neutralD {SndD _) 

neutralD {NatrecD 

neutralD {CaseD ) 

neutralD StarD 
neutralD _ 

natrec :: {D DT) D - 
natrec b z s StarD 
natrec b z s ZeroD 
natrec b z s {SucD e) 
natrec b z s d \ neutralD d 



= True 

= True 

= True 

= True 

= True 

= True 

= True 

= False 

y D ^ D -f D 
= StarD 
= z 

= {s ^ap'' e) ^ap' 
= up {b d) 

{NatrecD 



— dependent pair type 

~ context comprehension 
~ first projection of neutral 

— second projection of neutral 
~ natural number type 

— 

— +1 

~ recursion on neutrals 

~ proof type 

~ don't care 

~ enumeration type 

— constants in EnumD 

— elimination on neutrals 



{natrec b z s e) 

(Ae —7- downT {b e)) 
{down {b ZeroD) z) 
downSuc 
d) 
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where downSuc = down {FunD NatD 

(An FunD {b n) 
(Ae ^ h {SucD n)))) 

s 

downs :: Int {D ^ DT) [D\ Int [D] 
downs _ _ [ ] - = [ ] 

downs n f {d : ds) i = down (/ {ConstD n i)) d : downs n f ds {i + 1) 

constD :: Int — > Int Bool 

constD n i {ConstD mj) = m = nf\i=j 

constD = False 

caseD :: Int {D DT) [D] ^ D ^ D 

caseD n b ds StarD = StarD 

caseD n b ds {ConstD mi)\n = mAi<n = ds \\ i 

caseD n b ds d \ neutralD d A 

and [constD n i {ds W i) \ i [0 . . n — 1]] = up {b d) d 
caseD n b ds d \ neutralD d = up {b d) 

{CaseD n (Ae — >■ downT {b e)) 
{downs n b ds 0) 
d) 

up :: DT ^ D ^ D 

up {SingD ax) k = a 

up {FunD a f) k = Ld {Xd — >■ up (/ d) {AppD k {down a d))) 
up {SumD a f) k = PairD {up a {FstD k)) 

{up (/ {up a {FstD k))) {SndD k)) 

up {PrfD a) k = StarD 

up {EnumD 0) k = StarD 
up {EnumD 1) k = ConstD 1 

up d k = k 

down :: DT ^ D ^ D 

down UD d = downT d 

down {SingD a x) d = down x a 

down {FunD a f) d = Ld (Ae — >■ down (/ {up a e)) {d 'ap'' {up a e))) 
down {Surn,D a h) d = PairD {down a {pil a)) {down {b {pil d)) {pi2 d)) 
down {PrfD a) d = StarD 
down {EnumD 1) d = ConstD 1 
down d e = e 

downT :: DT DT 

downT {SingD a x) = SingD {down x a) {downT x) 

downT {FunD a f) = FunD {downT a) {Xd — t- downT (/ {up a d))) 

downT {SumD a b) = SumD {downT a) {Xd — )• downT {b {up a d))) 

downT {PrfD a) = PrfD {downT a) 

downT d = d 
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readback 


:: Int — > — > Term 










readback 


i UD 


= U 








readback 


i (FunD a f) 


= Fun 


(readback i a) [readback (i + 1) 


if (Vd 


i))) 

/// 


Tpn dhn ch 


i ( Sin nV) n t 1 


= Sinn] 


(rpodhoch i n \ ireodhoch i ti 






TPfi dhn ch 


i (Ld f) 




(readback ii + 1) (f (Vd i^W 






readback 


i {Vd n) 


= mkvar 


li- n-1) 






readback 


i (AppD k d) 


= Am 


(readback i k) (readback i d) 






readback 


i {FstD d) 


= Fst 


(readback i d) 






readback 


i {SndD d) 


= Snd 


(readback id) 






readback 


i {PairD d e) 


= Pair 


(readback i d) (readback i e) 






readback 


i {SumD a b) 


= Sigma 


(readback i a) (readback (i + 1) 


(b (Vd 




readback 


i NatD 


= Nat 








readback 


i ZeroD 


= Zero 








readback 


i {SucD e) 


= Sue 


(readback i e) 






readback 


i {NatrecD b z s e) 


= Natrec 


(Fun Nat (readback (i + 1) (b (Vd i)))) 





(readback i z) 
(readback i s) 
(readback i e) 



readback i (PrfD d) 




— pj.j (readback id) 


readback i StarD 




= Star 


readback i (EnumD 


n) 


= Enum n 


readback i (ConstD 


nj 


) = Const n j 


readback i (CaseD n b ds d) = Case n (readback (i + 1) (b (Vd i))) 






(map (readback i) ds) 






(readback id) 


— Evaluation 






type Env = D 






eval :: Term — >■ Env 




D 


eval U 


d 


= UD 


eval (Fun t f) 


d 


= FunD (eval t d) (Xd' eval f (PairD d d')) 


eval (Singl t a) 


d 


= SingD (eval t d) (eval a d) 


eval (Lam t) 


d 


= Ld (Xd' eval t (PairD d d')) 


eval (App t r) 


d 


= (eval t d) ^ap^ (eval r d) 


eval Q 


d 


= pi2 d 


eval (Sub t s) 


d 


= eval t (evalS s d) 


eval (Sigma t r) 


d 


= SumD (eval t d) (Xe — >■ eval r (PairD d e)) 


eval (Fst t) 


d 


= pil (eval t d) 


eval (Snd t) 


d 


= pi2 (eval t d) 


eval (Pair t r) 


d 


= PairD (eval t d) (eval r d) 


eval Nat 


d 


= NatD 


eval Zero 


d 


= ZeroD 


eval (Sue t) 


d 


= SucD (eval t d) 
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eval [Natrec b z s t) d 


= natrec (Ae — >■ eval b {PairD d e)) 




{eval z d) 




{eval s d) 




{eval t d) 


eval {Prf t) d 


= PrfD {eval t d) 


eval {Box t) d 


= StarD 


eval Star d 


= StarD 


eval { Where t b p) d 


= eval b {PairD d StarD) 


eval {Enum n) d 


= EnumD n 


eval {Const n i) d 


= ConstD n i 


eval {Case n b ts t) d 


= caseD n (Ae — >■ eval b {PairD d e)) 




{map {{flip eval) d) ts) 




{eval t d) 


evalS :: Subst Env - 


■> Env 


evalS E d = 


T 


evalS Is d = 


d 


evalS {Ext s t) d = 


PairD {evalS s d) {eval t d) 


evalS P d = 


pil d 


evalS {Comp s s') d = 


{evalS s o evalS s') d 


nbe :: Type — )• Term — )• 


Term 


nbe ty t = readback ( 


down {eval ty T) {eval t T)) 



nbeTy :: Type — )■ Type 

nbeTy ty = readback {downT {eval ty T)) 
nbeOpen :: Ctx — >■ Type — >■ Term — > Term 

nbeOpen ctx ty t = readback n {down {eval ty env) {eval t env)) 
where n = length ctx 

env = mkenv n ctx 

nbeOpenTy :: Ctx — >■ Type — >■ Type 

nbeOpenTy ctx ty = readback n {downT {eval ty env)) 
where n = length ctx 

env = mkenv n ctx 

mkenv :: Int — )• Ctx Env 
mkenv [] = T 

mkenv n {t : ts) = PairD d' {up td {Vd {n — 1))) 
where d' = mkenv {n ~ 1) ts 

td = eval t d' 

mkvar :: Int — t- Term 
mkvar n | n = = Q 

I otherwise = Sub Q {subs {n — 1)) 

subs n \ n = = P 

subs n I otherwise = Comp P {subs (n — 1)) 
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Appendix B. Type-checking algorithm 

Type checking algorithm for normal forms, and type inference algorithm for neutral 
terms. 



Checking well-formedness of 

chkType :: Ctx — >■ Type — > Bool 

chkType ts U = 

chkType ts {Fun t r) = 

chkType ts {Singl at) = 

chkType ts {Sigma t r) = 

chkType ts Nat = 
chkType ts {Prf t) 

chkType ts {Enum n) = 

chkType ts Q = 

chkType ts w@{Sub Q s) = 

chkType ts w@{App k v) = 
chkType ts w@{Fst k) 

chkType ts w@{Snd k) = 

chkType ts w@{Natrec t' v v' k) = 

chkType _ _ = 



types. 

= True 

- chkType ts t A chkType {t : ts) r 

- chkType ts t A chkTerm ts t a 

= chkType ts t A chkType {t : ts) r 
= True 

- chkType ts t 

- True 

= chkNeTerm ts U Q 
= chkNeTerm ts U w 
= chkNeTerm ts U w 

- chkNeTerm ts U w 
= chkNeTerm ts U w 
= chkNeTerm ts U w 
= False 



Checking the types of terms. 
sgSub :: Term Term Term 



sgSub t t' 




■■ Sub t {Ext Is t') 




chkTerm 


:: Ctx Type 


Term Bool 


chkTerm 


ts 


U 


{Fun t t') 


= chkTerm ts U t A 










chkTerm {t : ts) U t' 


chkTerm 


ts 


U 


{Singl e t) 


= chkTerm ts U t A 










chkTerm ts t e 


chkTerm 


ts 


U 


{Sigma t t') 


= chkTerm ts U t A 










chkTerm {t : ts) U t' 


chkTerm 


ts 


u 


Nat 


= True 


chkTerm 


ts 


{Fun t t') 


{Lam e) 


= chkTerm {t : ts) t' e 


chkTerm 


ts 


{Singl e t) 


e' 


= chkTerm ts {nbeOpenTy ts t) e' A 










{nbeOpen ts e t) = {nbeOpen ts e' t) 


chkTerm 


ts 


{Sigma t r) 


{Pair e e') 


= chkTerm ts t e A 










chkTerm ts {nbeOpenTy ts {sgSub re)) 


chkTerm 


ts 


Nat 


Zero 


= True 


chkTerm 


ts 


Nat 


{Sue t) 


= chkTerm ts Nat t 


chkTerm 


ts 


{Prf t) 


{Box e) 


= chkTerm ts t e 


chkTerm 


ts 


{Enum n) 


{Const mi) 


= m = nAi<n 


chkTerm 


ts 


t 


e 1 neutral e 


= chkNeTerm ts t e 
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chkTerm _ _ _ = False 



llt-Ujil ill 


.. J-C/ III 7 JDUUl 




neutral 





= True 


neutral 


{Suh Q s) 


= True 


neutral 


(App k v) 


= True 


neutral 


{Fst k) 


= True 


neutral 


{Snd k) 


= True 


neutral 


(Natrec t' v v' k) 


= True 


neutral 


(Case n h ts t) 


= True 


neutral 


( Where t b p) 


= True 


neutral 




= False 


erase :: 


Type — >■ Type 





erase {Singl e t) = erase t 

erase t = t 

maybeEr :: Maybe Type — t- Maybe Type 
maybeEr = maybe Nothing (Just o erase) 

chkNeTerm :: Ctx — )• Type — )■ Term — )• Bool 
chkNeTerm ts t e = case maybeEr {infType ts e) of 

Just t' -^t=t' 

Nothing — >■ False 



Inferring the types of neutral terms. 

nbeType :: Ctx — > Type — > Maybe Type 
nbeType ctx t = Just {nbeOpenTy ctx t) 

infType :: Ctx — >■ Term — >■ Maybe Type 

infType {t : ts) Q = nbeType {t : ts) {Sub t P) 

infType ts {Sub Q s) = case infType {infCtx ts s) Q of 

Just t — > nbeType ts {Sub t s) 

_ — >■ Nothing 

infType ts {App e e') = case maybeEr {infType ts e) of 

Just {Fun t t') ^ 
if chkTerm ts t e' 
then nbeType ts {sgSub t' e') 
else Nothing 
_ — >■ Nothing 

infType ts {Est e) = case maybeEr {infType ts e) of 

Just {Sigma t t') Just t 

_ —7- Nothing 

infType ts {Snd e) = case maybeEr {infType ts e) of 

Just {Sigma t t') — >■ nbeType ts {sgSub t' {Est e)) 
_ — >■ Nothing 
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infType ts {Natrec t v w k) = case maybeEr {infType ts k) of 

Just Nat if 

chkType {Nat : ts) t A 

chkTerm ts {nbeOpenTy ts {sgSub t Zero)) v A 
chkTerm {Nat : ts) 
{Fun {sgSub t Q) 

{sgSub t {Sue {Sub Q P)))) w 
then nbeType ts {sgSub t k) 
else Nothing 
_ — >■ Nothing 

infType ts ( Where t b k) = case maybeEr {infType ts k) of 

Just {Prf t') ^ if chkType ts t A 
chkTerm {t' : ts) t b A 

nbeOpen ts' w {Sub b {Ext {subs 1) Q)) = 
nbeOpen ts' w {Sub b P) 
then Just t 
else Nothing 

where ts' = Sub t' P : t' : ts 
w = Sub t {subs 1) 
_ — >■ Nothing 

infType ts {Case n b cs k) = case maybeEr {infType ts k) of 

Just {Enum m) ^ if m = n A 

chkType {Enum n: ts) b A 

chkList ts n b cs 

then nbeType ts {sgSub b k) 

else Nothing 
_ —7- Nothing 

infType = Nothing 

chkList :: Ctx — )• Int — > Type — )• Int — )• [ Term] — )■ Bool 
chkList ts [] = True 

chkList ts n b i {e : es) = chkTerm ts {nbeOpenTy ts {sgSub b {Const n i))) e A 

chkList ts n b {i + 1) es 

infCtx :: Ctx — )■ Subst — >■ Ctx 

infCtx {t :ts)P = ts 

infCtx {t : ts) {Comp P s) = infCtx ts s 
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Appendix C. Proofs 



C.l. Proof of Lemma 5.19, By induction on X = X' & T- We do not show the base cases, 
for they are trivial. 

(1) Let SingdX = Slngd' X' € T. 

[X] = [X'] 
d = d' £ [X] 

e = d£[X]ande' = de [X] 
e = d' £ [X] and e' = d' £ [X] 
id}x = id'}}x' 

(2) Let Fun X F = Fun X' F' £ T. 

[X] = [X'] 

for all d £ dom{[X]), F d = F' d £ T 
for all d = d' £ [X], f ■ d = f ■ d' £ [F d] 
f-d = f'-d'£[F'd] 



by ind. hyp. 
by ind. hyp. 
hypothesis 
by transitivity 
by definition. 

by ind. hyp. 
by definition 
hypothesis 

by ind. hypothesis in Q. 



(*) 



□ 



X' £ T. 



C.2. Proof of Lemma 5.22. By induction on X 

(a) Case SingdX = Singd'X' £ T. 

(1) The partial function f maps neutrals to related elements in the corresponding PER. 

k = k £ Me hypothesis 

d = d' £ [X] and X = X' £ T by inversion 

tsingdx k = d and tsingd' X' ^' = d' by def. 

d = d' £id^x by def. of this PER. 

(2) The partial function \. maps related elements to related normal forms. 

di = d2 £ \_d^x hypothesis 
di = d2 = d = d! £ [X] and X = X' £T by inversion 

ixd = ix' d' £ Mf by ind. hyp. 

isingdx di = Isingd'X' £ Nf by def. 

(3) The function JJ. maps related elements in T to normal forms. 

\^S\ngdX = Smg{ixd){^X) by def. 

^ Sing d' X' = Sing {ix' d') X') by def. 

ixd = ix' d' £ Mf by ind. hyp. 

i}, X = ij, X' £ Mf by ind. hyp. 

Sing {ix d) X) = Sing {ix d) X) £ Mf by Lem. [5l6| 

(b) Case FunXF = FunX'F' £ J. 
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(1) The partial function f maps neutrals to related elements in the corresponding PER. 
k = k' £ Me hypothesis 

d = d' £ [X] hypothesis (*) 

X = X' £ T by inversion (f) 

F d = F' d' eT by inversion (**) 

ixd = ix' d' e Mf by ind. hyp. on Q and ^ 

App k {ix d) = App k' ilx' d') G Ne by Lem. [CT] (t) 
ti.rf (App k {ix d)) = V d' (App k' iix' d')) G [F d] by ind. hyp. on Q and § 

tFunXF^ = tFunX'F'^' e [FunXF] by dcf. 

(2) The partial function J, maps related elements to related normal forms. 

X = X' £T by inversion (*) 

f = f e [Fun X F] hypothesis 

k = k' £ Me hypothesis 

tx = tx' k' G [X] by ind. hyp. on (Q (f) 

d := tx k abbreviation 

d' := tx' k' abbreviation 

F d = F' d' eT by inversion and ^ (**) 

/ . d = / . (i' e [F d] definition of [Fun X F] (t) 

iFd{f-d)= If' d' if ■ d') G Mf by ind. hyp. on (§ 

(ipunXF f)-k = (ipunX' F' f) ' k' £ Mf by dcf. 

ipun XFf = ipun X' F' /' ^ TV/ by Lem. |5.16 



(3) The function JJ. maps related elements in T to normal forms. 

X = X' £ T by inversion (*) 

ij, X = ij. X' £ Mf by ind. hyp. on Q (**) 

k = k' £ Me hypothesis. 

tx ^ = tx' k' G [X] by ind. hyp. on Q (f) 

d := tx ^ abbr. 

d' := tx' ^' abbr. 

Fd = F'd' £T by inversion and ([f]) (t) 

UF d) = 4(F' d') G AA/ by ind. hyp. on (§ 

4(FunXF) =^(FunX'F') G A/7 by Lem. [5T6] □ 



C.3. Proof of Lemma 5.34- The proofs of soundness for (prf-/3) and (PRF-r/) have the same 



structure, so we show only the first one. 
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def. of semantics for ftwhere^ [a] 
ind. hypothesis on T.A.A pl-6p = 6(pp,q) : Bpp 
def. of semantics for substitutions 



(PRF-/3) fewhere^ [a] = 6 (id, a) 
[bwhere^ [a]jd 

= lb}{d, lajd) 
= |61([(id,a 
= I6(id,a)|d 

(pre- ASSOC) awhere^ (ftwhere^ c) = (a (p p, q) wheref^P 6) where^ c 
a whe 

= Ial(d,I61(d,*)) 

= Ia(pp,q)l(((i,*),I&l((i,*)) 

= [a(pp,q)where4P6)l(d,*) 

= |(a (p p, q) wheref^P 6) where^ cjd 



□ 



C.4- Proof of Lemma 6.3. By induction on X G T. 

(a) Types; in all cases we use symmetry and transitivity to show the conditions. We only 
show the case for Fun X F. 

(1) X = FunX'F: 

Th A = fun BC by definition (*) 

r h S ~ X' by definition 

A h C (p*, s)^ F deT by definition 

for ah A ^' r and A h s : S p* ~ d G [X'] 
r \- A' = Fun BC by sym. and trans, on Q 

(2) N„ G r. 

rht:A~de[Ni] hypothesis (*) 

r\-t = t':A hypothesis (f) 

by inversion on Q (**) 

by congruence on ([f]) (|) 
by sym. and trans, on (**) and ([f]) 



A h t p* = 
A h t p^ = 



Rid:Ap' 
t'p' :A p' 
--Rid:Ap' 



(b) Terms. As in the case for types, we use symmetry and transitivity. We show only the 
case for singletons and functions. 
(1) X = SingdX': 

T\-A = {b}B by hypothesis (*) 

Th B ^ X' £T by hypothesis 

T\-t:Br^de [X'] by hypothesis (f) 

T \- A' = {b}B by sym. and trans, on Q 

Tht' :B ^d£ [X'] By i.h. on ([fj) 
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(2) X = FunX'F: 

rhyl=FunSC by hypothesis (*) 

T 'r B ^ X' by hypothesis 

A h app t p* s : C (p*, s) ~ / • d G [F d] by hypothesis 

for all A r and A h s : 5 p* ~ d e [X'] 

V\- A' = Fun BC by sym. and trans, on Q (f) 

A h app t p* s = app p* s : C (p*, s) by congruence on ([f]) (f) 

AHappt'p*s:C(p\s)~/-(ie [Fd] by i.h. on (gf □ 

C. 5. Proof of Lemma \6.4\ By induction on X € T. This property is trivial for the base 
cases; for singletons is obtained by applying the i.h. We show two cases. 

(1) Let X = FunX'F. 

r h yl = Fun B C by hypothesis (*) 

r h s ~ X' (t) 

e h C (p\ s) ^ F d£T by hypothesis 

for ah e r and e h s : S p* ~ d G [X'] 

A h A p' = Fun {B p*) (C (p* p, q)) by congruence on Q 

Ah Bp' X by i.h. on ((tf 

e' h s : (-B p^) pJ' ~ d G [X], with G' A hypothesis 

e' h s: B p'+^ ^d£[X] by rem. [2l] and ^ (t) 

e' h C (p*+J' q, s) ~ F d by hyp. using ([|]) 

6' h C (p* p, q) (p-^, s) ~ F (i By congruence and |6.3| 

(2) PrfX G T. As mentioned earlier if T h ^ ~ Prf X G T then T h _ : A ~ _ G [Prf X] 
is non-empty if and only if F h _ : ^ is not empty. 

rht : A ~(iG [PrfX] hypothesis (*) 

r \- t : A by inversion on Q (f) 

rhyl~PrfXGr by inversion on Q (**) 

A h t p* : ^4 p* by weakening on ([f]) 

A h Ap* ~ Prf X G T by monotonicity for types on (**) 

A h t p* : ^ p* ~ d G [Prf X] by definition of log. rel. 

We do not show proofs for the second part, since the most involved case is dealt analogously 
to the case for Fun X' F. □ 



C.6. Proof of Lemma 6.5 By induction on X = X' G T. Note that the first part for the 
base cases is trivial; the second point is also trivial for X G Me. Thus we do not show those 
parts of the proof, 
(a) Types. 
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by hypothesis 
by hypothesis 
by hypothesis 
By i.h. on Q and Q 



(1) SingdX = Singd'X'. 

r h ^ = {b}B 

rht:Br^d£[X] 
r h t : 5 ~ d' G [X'] 

(2) FunXF = FunX'F'. 
Th A = funBC 
Th B X' 

e h C7(p\s) der 

for ah e r and e h s : S ~ (i G [X'] 

r h B ~ X' G r 
e h s (p\ s) ~ F' d G r 

(b) Terms. 

(1) e = e' G [SingdX]. 

r h s ~ X G r 

r h t : 5 ~ d G [X] 
e' = de [X] 
Tht:B^e' £[X] 

(2) / = /'G [FunXF]. 

r h ^ = Fun^C 

r h 5 ~ X 

A h app t pS : C7 (p\ s) ~ / • d G [F d] 

for all A r and A h s : S p* ~ d G [X] . 
By i.h. on Q and (**) and monotonicity 6.4 



by hypothesis 
by hypothesis 
by hypothesis 

By i.h. on Q 
by i.h. on ([f]) 



by hypothesis 
by hypothesis 
by hypothesis 

by def. of e = e' G [SingdX] 
by i.h. on Q, (0, and Q, 



By i.h. on ^ 



Ah s : A' p' ^ d' £ [X'] . 



A h app {t p') s:B {p\ s) ^ f ■ d' £ [F d'] . 
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(3) d = d' e [SumXF]. 
d = d' £ [SumXF] 
r h t : A ~ d G [SumXF] 
Th A = T,A' B 

r h s^'s ~ SumXF G r 

r h fst t : yl' ~ fst d G [X] 

r.^' hsndt: B (id , fst t) ~ snd d G [F fst d] 

fstd = fstd' G [X] 

snd d = snd d' G [F fst d] 

r h fst t : yl' ~ fst d' G [X] 

r.^' h snd t : B (id , fst t) ~ snd d' G [F fst d'] 



hypothesis 
hypothesis 



by inversion on (**) 

by inversion on ( [**[ ) 

by inversion on Q 

by inversion on ( [**[ ) 

by definition of Q 

by definition of 

by ind. hyp. on ([f]) and ([f]) 

by ind. hyp. on ^ and ([f]). 



(*) 



(t) 
(t) 
(t) 



□ 



C. 7. Proof of Lemma \6.6[ By induction on X G 7". By induction on X G T. For a better 
organisation of the proof we show the proofs for each point separately, 
(a) r h ^ = R|p| JJ-X. We skip the part for the minimal elements in T. 
(1) SingdX: 



R|r| -IJ-X 
l\r\ Ixd: A' 

{R|r| ix 4R|r| 



by ind. hyp. 
by ind. hyp. 

by congruence and transitivity 



by ind. hyp. 



d£ [X] 



A' : 

rht = R 

r h {a} A 

(2) FunXF: 

Th A' = R|r| 11 X 

AhB{p\s) = R|A| ^F d 

for any A T and A h s : ^4' p 

T.A' h q : A' p ~ tx Var X|r| 

T.A'hB{p,q) = R|r.A'| i^F txVarx|r| 

T.A'h B = R\r.A'\ i^F txVarx|r| 

(b) r h t = R|p| d ■ A. We skip the part for the minimal elements in 7~. 
(1) d' G [SingdX]: 

r h ^ = {b}B 
r h B ~ X G r 

Tht: B ^d£[X] 

r\-t = R|r| ixd-- B by ind. hyp. in ^ 



(*) 



by ind. hyp. (f) 
by instantiating Q with ([f]) 



by 6.3 



(*) 
(t) 



rht = R|r| ixd:{t}B 
r h t = R|r| ixd: A 



by conversion and (sing-eq-i) 
by conversion 
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(2) /G [FunXF]: 
r.^' h q : ^' p ~ tx Var X|r| € [X] 
d := tx Varxin 

r.^'happ (ip)q:i?(p,q)~/-dG [Fd] 
r.^' h app (t p) q = R|r.A| If df -d: B{p,q) 
T.A' h app (i p) q = R|r.A| Ipdf-d-.B 



by ind. hyp. on the third part 
abbreviation 

by definition of the logical relation 
by ind. hyp. 

by (coNv) 



r h A(app (i p) q) = A(R|r.A| If df ' d) ■ Fun A' B by congruence 



r h t = A(app (tp) q) : A' B 



by (eta) 
by trans. 



(c) 



(1) SmgdX: 

T^A = {a}B 
rh B ^ X £T 
Tht: B ^d£[X] 
Th B X £T 
Ahtp' : Bp' d€[X] 

Ah Ap' = {ap'}Bp^ 

(2) funXF: 

Ah s : A' p^ d' e[X] 
Ahs = R|A| Ix d' : A' p' 

A h app {t p*) s = app ((R|r| d) p') (R|a| (ix d')) : B {p\ s 

R|A| Appd d' = app ((R|r| d) p') (R|a| (ix d')) 

A h app {t p')s:B {p\ s) ~ If d' App d d' e [F d'] 



by hypothesis 
by hypothesis 
by hypothesis 
by monotonicity 6.4 



by monotonicity 6.4 
by congruence 



hypothesis 

by ind. hyp. on Q 

by congruence 

by definition 

by ind. hyp. 



(*) 



C.8. Proof of Lemma \6.13 . By induction on F h; we show only the inductive case. 
T.Ah. 



n 

Let 



d := PT 

r h id : r ~ d G ([r]) 

r.^ h id p : r ~ d G ([r]) 

V.Ah p:T ^ de ([r]) 

T.Ah Ap^ lA\d(^T 

r.^h q : ^p~t[A]dVarx„ G [lA}d] 

T.Ah (p,q) : T.A^ 

(d,tiAidVar:E„)e]J([r]) (e ^ Pie]) 

v.A h id : r.^ ~ pr.A G ([r.^]) 



definition 

by inversion and i.h. 
from Q by Rem. 6.9 



from ([t]) by Rem. 6.8 



(*) 
(t) 



by inversion and Thm. 6.11| 



by Thm. 6.11 



by Def. [H^ 

from ([I]) by Rem. 6.8 



□ 
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C. 9. Proof of Theorem 6.11 We note that for terms we show only the cases when the last 
rule used was the introductory rule, or the rule for introducing elements in singletons; for 



the case of the conversion rule, we can conclude by i.h., and lemma 6.3 
(a) Types. We show only the case for (fun-f). 

A h s : ^' p* ~ e G [X] hypothesis 

©h^p* : T d £ ([r]) By monotonicity for substitutions 6.9 

e h {6 p\s): r.A ~ {d, e) G ([r.A]) From Q and (0 
eh B{6p\s)^lBj{d,e)£T ~ 



(*) 
(t) 



by ind. hyp. on T.A h B and using 6.3 and 6.5 



(b) Terms. We show the case for application (fun-el) and for (n„-e). The case for abstrac 
tion (fun-i) is analogous to (fun-f). 
(1) (fun-el) 

r h appt r : B{\d,r) 

Ahr6:A6^ {rjd e [lAjd] 

Aht6: fun AB5r^ {tjd € [{Fun ABjd] 

Ah app {t6) {r6) ■.B{\d,r6) ~ 



hypothesis 
by ind. hyp. 
by ind. hyp. 



(*) 
(t) 



Itjd-lrjdGmid, Irjd)] 
Ah (app tr) 6 : B{\d,r6) ~ 
[app t rid G [1^1 (d, irjd)] 
(2) (n„-e) 

r h case^ to---*n-i t : B{\d,t) 

Aht5: N„~ {tjde [N„] 

Aht5 = R|A| Md: N„ 

Ahti6:Bi6,c^)^lti}d€[lBj{d, {tjd)] 

if R|A| ltjd = Ci: 

A h (case BIq--- tn~i Ci) 6 = US : B {\d,t) 
A h (case BIq--- tn-i Ci)6 : B (id, t) ~ 

[case^ to---tn-it}de [lB{\d,t)}d] 

if R|A| Itjd G Ne: 

R|A|+i ^[i?l(d,Varx|A|) 



by def. of log. rel. for ^ with Q 



by |6.3| and 6.5 



hypothesis 

by inversion and by ind. hyp. 



by 6.6 



by inversion and by ind. hyp. 
by subst. 



by 6.3 and 6.5 



:R|A| lti}d:B{6, a 
|A| {tild 



A.N„hS(,5p,q 

Ahti5 

< :=R 
t' := R|A| i[B]{d,c,) Itjd 
B' .= R|A|+i [i?l(d,Varx|A|) 
A h (case B tQ - ■ ■ tn~i t)d = 

case B' • • • t' : B {6, t) 



by 6.6 



abbreviation 
abbreviation 
abbreviation 

congruence 
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A h (case Bto--- t)d : B {6, t) ~ 

tmidMd) (^ase B' t'o • • • t' G lBj{d, Itjd)) by [Handle;! 
A h (case Bto--- tn-i Ci) 6 : B (id, t) ~ 



[case^ to--- tjdeilB (id , t)jd] by [O] and (63 

(c) Substitutions. Only the proof for (ext-subs) is shown. 

r h Q.A : (7, t) hypothesis 

A h 7 5 : e ~ |7]d G ([9]) by ind. hyp. (*) 

Aht6:{Aj)5^lt}dG[lAj}d] (t) 

(Md, Md) E U ([6]) (e ^ [[^ 7le]) from Q and § 

Ah (7,t)(5:e..4~ [(7,t)ldG ([e.^D by[6;8]and|6l0] □ 

C.IO. Proof of Theorem \7.^\ By simultaneous induction ox\V'rV-^,T\-v-^V, and 

(1) Types: 

• the case for Fun is also obtained directly from the derivations we get using the 
i.h. on r h y and T.V h W and use them for deriving T h Fun V W 

• for {wjy, we can apply the same reasoning as before: by i.h. on F h V and 
r h t) <^ nbe(l/) we know that there are, respectively, derivations with conclusions 
r h and T \- v :V] from which we can conclude F h {v^y 

• here we'll consider the three cases when y is a neutral term, because the reasoning 
is the same. By i.h. on F h y <^ U, we have a derivation with conclusion V \- V : U; 
hence we use (u-el). 

(2) Terms: 

• let y = U, and v = Fun V W. By i.h. F h y' : U, and T.V h : U, and using both 
derivations we can derive F h Fun y 1^ : U. 

• consider V = \}, and v = {v'}yi. by i.h. on F h 1/' <^ U, and F h <^= nbe(l/), we 
have T \- V : U, and T \- v' : nbe(l/), and using conversion we derive V \- v' :V] and 
these are the premises we need to show F h {v'}y : U. 

• V = VunV W, and v = Xv': we have T.V' h <;= W. From this we can conclude by 
i.h. T.V' h v' : W; and this is the key premise for concluding F h Xv' : Fun V' W. 

• V = by hypothesis we know F h w : W, and T h v <^ W, and T \- w = v : W; 
by the i.h. on the second one we get T \- v : W; then we can conclude using (sing-i). 

• V = k £ Ne, and V ^ {it;}vi/: let F h A; =^ V' , then we distinguish the cases when 
V' is a singleton, and when V' is not a singleton. In the latter case, the derivation 
is obtained directly from the correctness of type- inference. In the first case we use 
the rule (sing-el), with the derivation obtained by i.h. and then we conclude with 
conversion. 

(3) Inference: 

• for q p*, if i = 0, then we use (hyp), and conversion; if i > 0, then we have a derivation 
with conclusion F h q : p, and clearly F h p* : T.Ai . . . .Aq, hence by (subs-term), 
we have T.Ai ■ ■ ■ -Aq I~ q p* '■ Ai p*"*"^, we conclude by correctness of nbe(_) and by 
conversion. 
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by i.h. we have derivations with conclusions T \- k : V , with V = Fun F W, hence we 
have a derivation T h k : funV W (using (sing-el) if necessary) and T \- v : V, hence 
by the rule (fun-el), we have F h app k v : W (\d,v). We conclude by conversion and 
correctness of nbe(_). O 



C.ll. Proof of Theorem \ 7. 6[ We prove simultaneously all the points. The first point is by 
induction on the structure of the type. In the last two points we use well-founded induction 
on the order 

(1) Types: 

• r h Fun V' W; by inversion we know F h V' , and T.V' h W; hence by i.h. we have 
respectively T\-V'^, and T.V \- W ^. 

• V = {v}v'- by inversion we have F h V , and T h v : nhe{V'), hence by i.h. we have 
both F h F' ^, and F h u ^ V . 



• F h A;, we have to show F h <^. By lemma 2.7, we know F h A; : U; hence by i.h. we 
have F h A; ^ ^, and F h A = U, hence F h A: ^ U. 

(2) Terms: We omit the trivial cases, e.g. (U, A); we have re-arranged the order of the cases 
for the sake of clarity. 

• v = funV'W: 

(a) either F h ^ = U, F h : U, and T.V' h W : (J; hence, by i.h. we know both 
r h y ^ U, and T.V' \- W ^ U; hence we can conclude T h funVW ^ U. 

(b) Or T \- A = {a} A', T h v : A', and T \- v = a : A', hence by i.h. we know 
T \- V <^ nbe(i?), by conversion we also have and transitivity of the equality 
F h nbe(a) = v : nhe{B), hence F \- v ^ {nbe(a)}nbe(_B)- 

• V = {v'}v- 

(a) T \- V : U, and T \- v' : V. From those derivations we have by i.h. F h V <^ U, 
and F h f ' <^ nbe(y), respectively; from which we conclude F h <^ U 

(b) T \- A = {a} A', with T h v : A', and T \- v = a : A', hence by i.h. we 
know T \- V ^ nhe{B). We can also derive F h nbe(a) = v : nhe{B), hence 
T\-v^ {nbe(a)}nbe(iJ)- 

• V = Xv' 

(a) F h y = Fund's, and T.A' \- v' : B; from this we can conclude F.nbe(^') h 
v' : B hy ind. hyp. we get F.nbe(A') \- v' <^ nhe{B); therefore F h Xv' <^ 
Funnbe(y4')nbe(5'). 

(b) Or T \- A = {a} A', T \- v : A', and T \- v = a : A', hence by i.h. we know 
T \- V <^ nbe(i?), by conversion we also have and transitivity of the equality 
F h nbe(a) = v : nbe(i?), hence F h w {nbe(a)}nbe(^). 

• V G A'^e: then we do case analysis on nhe{A). 

(a) If nhe{A) = {'w}w, then by soundness of nbe(_), and conversion we have F h 
k : {tf}vi/j and by inversion of singletons we have F h A; : W, and also F h A: = 
w : W{*). Clearly {k,W) -< {k,A), hence we can apply the inductive hypothesis 
and conclude F h A; <^ W; from that and (*), we conclude F h A; <^ {^^jvy; i-e., 
F h A; ^ nhe{A). 

(b) If V ^ {'w}w, then V = V. We use the last clause for concluding F h A; <^ 
nhe{A); but we need to show that if F h A; =^ y , then T \- V = V; we show this 
in the next point. 

(3) Inference: let T h k : A, T h k =^ V , and V = nbe(^). Show F h F = F. 
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let us consider first the case when V = {wjvK; by inversion we have derivations 
r h k : W, and r \- k = w : W. Hence by i.h. we know that T h F = W, and 

W = {w}w 

Now we consider the case when V is not a singleton, and /c = q p*; this case is trivial 
because by inversion we know that T \- V = nbe((r!i) p*"*"^). 

the last case to consider is k = app k' v and V not a singleton. By inversion we 
know r h app k v : B {\d,v), and F \- k : Fun A B, hence T \- k : Fun nbe(^) nhe{B), 
and T \- V : A, hence F h : nhe(A). By i.h. we know that if F h =^ V' , 
then V = Fun nbe(A) nbe(5), and also F \- v ^ nhe{A). Hence we can conclude 
T\- appkv ^ nbe(nbe(5) (id,?;)). And T h nbe(nbe(5) (\d,v)) = nbe(S (id, t;)) 
(by correctness of the nbe(_) algorithm). □ 
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